diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 14:22:51 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 14:22:51 +0000 |
commit | 9ada0093e92388590c7368600ca4e9e3e376f0d0 (patch) | |
tree | a56fe41110023676d7082028cbaa47ca4b6e6164 /doc/man | |
parent | Initial commit. (diff) | |
download | pam-9ada0093e92388590c7368600ca4e9e3e376f0d0.tar.xz pam-9ada0093e92388590c7368600ca4e9e3e376f0d0.zip |
Adding upstream version 1.5.2.upstream/1.5.2upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
89 files changed, 11319 insertions, 0 deletions
diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am new file mode 100644 index 0000000..78c891d --- /dev/null +++ b/doc/man/Makefile.am @@ -0,0 +1,63 @@ +# +# Copyright (c) 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de> +# + +CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) + +EXTRA_DIST = $(MANS) $(XMLS) + +man_MANS = pam.3 PAM.8 pam.8 pam.conf.5 pam.d.5 \ + pam_acct_mgmt.3 pam_authenticate.3 \ + pam_chauthtok.3 pam_close_session.3 pam_conv.3 \ + pam_end.3 pam_error.3 \ + pam_fail_delay.3 pam_xauth_data.3 \ + pam_get_authtok.3 pam_get_authtok_noverify.3 pam_get_authtok_verify.3 \ + pam_get_data.3 pam_get_item.3 pam_get_user.3 \ + pam_getenv.3 pam_getenvlist.3 \ + pam_info.3 \ + pam_open_session.3 \ + pam_prompt.3 pam_putenv.3 \ + pam_set_data.3 pam_set_item.3 pam_syslog.3 \ + pam_setcred.3 pam_sm_acct_mgmt.3 pam_sm_authenticate.3 \ + pam_sm_close_session.3 pam_sm_open_session.3 pam_sm_setcred.3 \ + pam_sm_chauthtok.3 pam_start.3 pam_strerror.3 \ + pam_verror.3 pam_vinfo.3 pam_vprompt.3 pam_vsyslog.3 \ + misc_conv.3 pam_misc_paste_env.3 pam_misc_drop_env.3 \ + pam_misc_setenv.3 +XMLS = pam.3.xml pam.8.xml \ + pam_acct_mgmt.3.xml pam_authenticate.3.xml \ + pam_chauthtok.3.xml pam_close_session.3.xml pam_conv.3.xml \ + pam_end.3.xml pam_error.3.xml \ + pam_fail_delay.3.xml pam_xauth_data.3 \ + pam_get_authtok.3.xml pam_get_data.3.xml pam_get_item.3.xml \ + pam_get_user.3.xml pam_getenv.3.xml pam_getenvlist.3.xml \ + pam_info.3.xml \ + pam_open_session.3.xml \ + pam_prompt.3.xml pam_putenv.3.xml \ + pam_set_data.3.xml pam_set_item.3.xml pam_syslog.3.xml \ + pam_setcred.3.xml pam_sm_acct_mgmt.3.xml pam_sm_authenticate.3.xml \ + pam_sm_close_session.3.xml pam_sm_open_session.3.xml \ + pam_sm_setcred.3.xml pam_start.3.xml pam_strerror.3.xml \ + pam_sm_chauthtok.3.xml \ + pam_item_types_std.inc.xml pam_item_types_ext.inc.xml \ + pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml \ + misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \ + pam_misc_setenv.3.xml + +if ENABLE_REGENERATE_MAN +PAM.8: pam.8 +pam_get_authtok_noverify.3: pam_get_authtok.3 +pam_get_authtok_verify.3: pam_get_authtok.3 +pam_verror.3: pam_error.3 +pam_vinfo.3: pam_info.3 +pam_vprompt.3: pam_prompt.3 +pam_vsyslog.3: pam_syslog.3 +pam.d.5: pam.conf.5 + test -f $(srcdir)/pam\\.d.5 && mv $(srcdir)/pam\\.d.5 $(srcdir)/pam.d.5 ||: + +pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml +pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml +pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/doc/man/Makefile.in b/doc/man/Makefile.in new file mode 100644 index 0000000..42fd8d0 --- /dev/null +++ b/doc/man/Makefile.in @@ -0,0 +1,748 @@ +# Makefile.in generated by automake 1.16.3 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2020 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de> +# +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = doc/man +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/attribute.m4 \ + $(top_srcdir)/m4/gettext.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/intlmacosx.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 \ + $(top_srcdir)/m4/ld-z-now.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ + $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ + $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/m4/warn_lang_flags.m4 \ + $(top_srcdir)/m4/warnings.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +SOURCES = +DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +man3dir = $(mandir)/man3 +am__installdirs = "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" +man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +BUILD_CFLAGS = @BUILD_CFLAGS@ +BUILD_CPPFLAGS = @BUILD_CPPFLAGS@ +BUILD_LDFLAGS = @BUILD_LDFLAGS@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CC_FOR_BUILD = @CC_FOR_BUILD@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CRYPT_CFLAGS = @CRYPT_CFLAGS@ +CRYPT_LIBS = @CRYPT_LIBS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +ECONF_CFLAGS = @ECONF_CFLAGS@ +ECONF_LIBS = @ECONF_LIBS@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +EXE_CFLAGS = @EXE_CFLAGS@ +EXE_LDFLAGS = @EXE_LDFLAGS@ +FGREP = @FGREP@ +FO2PDF = @FO2PDF@ +GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +NIS_CFLAGS = @NIS_CFLAGS@ +NIS_LIBS = @NIS_LIBS@ +NM = @NM@ +NMEDIT = @NMEDIT@ +NSL_CFLAGS = @NSL_CFLAGS@ +NSL_LIBS = @NSL_LIBS@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ +STRIP = @STRIP@ +TIRPC_CFLAGS = @TIRPC_CFLAGS@ +TIRPC_LIBS = @TIRPC_LIBS@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +systemdunitdir = @systemdunitdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) +EXTRA_DIST = $(MANS) $(XMLS) +man_MANS = pam.3 PAM.8 pam.8 pam.conf.5 pam.d.5 \ + pam_acct_mgmt.3 pam_authenticate.3 \ + pam_chauthtok.3 pam_close_session.3 pam_conv.3 \ + pam_end.3 pam_error.3 \ + pam_fail_delay.3 pam_xauth_data.3 \ + pam_get_authtok.3 pam_get_authtok_noverify.3 pam_get_authtok_verify.3 \ + pam_get_data.3 pam_get_item.3 pam_get_user.3 \ + pam_getenv.3 pam_getenvlist.3 \ + pam_info.3 \ + pam_open_session.3 \ + pam_prompt.3 pam_putenv.3 \ + pam_set_data.3 pam_set_item.3 pam_syslog.3 \ + pam_setcred.3 pam_sm_acct_mgmt.3 pam_sm_authenticate.3 \ + pam_sm_close_session.3 pam_sm_open_session.3 pam_sm_setcred.3 \ + pam_sm_chauthtok.3 pam_start.3 pam_strerror.3 \ + pam_verror.3 pam_vinfo.3 pam_vprompt.3 pam_vsyslog.3 \ + misc_conv.3 pam_misc_paste_env.3 pam_misc_drop_env.3 \ + pam_misc_setenv.3 + +XMLS = pam.3.xml pam.8.xml \ + pam_acct_mgmt.3.xml pam_authenticate.3.xml \ + pam_chauthtok.3.xml pam_close_session.3.xml pam_conv.3.xml \ + pam_end.3.xml pam_error.3.xml \ + pam_fail_delay.3.xml pam_xauth_data.3 \ + pam_get_authtok.3.xml pam_get_data.3.xml pam_get_item.3.xml \ + pam_get_user.3.xml pam_getenv.3.xml pam_getenvlist.3.xml \ + pam_info.3.xml \ + pam_open_session.3.xml \ + pam_prompt.3.xml pam_putenv.3.xml \ + pam_set_data.3.xml pam_set_item.3.xml pam_syslog.3.xml \ + pam_setcred.3.xml pam_sm_acct_mgmt.3.xml pam_sm_authenticate.3.xml \ + pam_sm_close_session.3.xml pam_sm_open_session.3.xml \ + pam_sm_setcred.3.xml pam_start.3.xml pam_strerror.3.xml \ + pam_sm_chauthtok.3.xml \ + pam_item_types_std.inc.xml pam_item_types_ext.inc.xml \ + pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml \ + misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \ + pam_misc_setenv.3.xml + +all: all-am + +.SUFFIXES: +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/man/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu doc/man/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man3: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man3dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man3dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man3dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.3[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man3dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man3dir)" || exit $$?; }; \ + done; } + +uninstall-man3: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man3dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.3[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^3][0-9a-z]*$$,3,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man3dir)'; $(am__uninstall_files_from_dir) +install-man5: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man5dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.5[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ + done; } + +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man5dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) +install-man8: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) +tags TAGS: + +ctags CTAGS: + +cscope cscopelist: + + +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(MANS) +installdirs: + for dir in "$(DESTDIR)$(man3dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." + -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) +clean: clean-am + +clean-am: clean-generic clean-libtool mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-man + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: install-man3 install-man5 install-man8 + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man + +uninstall-man: uninstall-man3 uninstall-man5 uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: all all-am check check-am clean clean-generic clean-libtool \ + cscopelist-am ctags-am distclean distclean-generic \ + distclean-libtool distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man3 install-man5 install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ + uninstall-am uninstall-man uninstall-man3 uninstall-man5 \ + uninstall-man8 + +.PRECIOUS: Makefile + + +@ENABLE_REGENERATE_MAN_TRUE@PAM.8: pam.8 +@ENABLE_REGENERATE_MAN_TRUE@pam_get_authtok_noverify.3: pam_get_authtok.3 +@ENABLE_REGENERATE_MAN_TRUE@pam_get_authtok_verify.3: pam_get_authtok.3 +@ENABLE_REGENERATE_MAN_TRUE@pam_verror.3: pam_error.3 +@ENABLE_REGENERATE_MAN_TRUE@pam_vinfo.3: pam_info.3 +@ENABLE_REGENERATE_MAN_TRUE@pam_vprompt.3: pam_prompt.3 +@ENABLE_REGENERATE_MAN_TRUE@pam_vsyslog.3: pam_syslog.3 +@ENABLE_REGENERATE_MAN_TRUE@pam.d.5: pam.conf.5 +@ENABLE_REGENERATE_MAN_TRUE@ test -f $(srcdir)/pam\\.d.5 && mv $(srcdir)/pam\\.d.5 $(srcdir)/pam.d.5 ||: + +@ENABLE_REGENERATE_MAN_TRUE@pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml +@ENABLE_REGENERATE_MAN_TRUE@pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml +@ENABLE_REGENERATE_MAN_TRUE@pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/doc/man/PAM.8 b/doc/man/PAM.8 new file mode 100644 index 0000000..da3a5d6 --- /dev/null +++ b/doc/man/PAM.8 @@ -0,0 +1,149 @@ +'\" t +.\" Title: pam +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +PAM, pam \- Pluggable Authentication Modules for Linux +.SH "DESCRIPTION" +.PP +This manual is intended to offer a quick introduction to +\fBLinux\-PAM\fR\&. For more information the reader is directed to the +\fBLinux\-PAM system administrators\*(Aq guide\fR\&. +.PP +\fBLinux\-PAM\fR +is a system of libraries that handle the authentication tasks of applications (services) on the system\&. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as +\fBlogin\fR(1) +and +\fBsu\fR(1)) defer to to perform standard authentication tasks\&. +.PP +The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable\&. In other words, the system administrator is free to choose how individual service\-providing applications will authenticate users\&. This dynamic configuration is set by the contents of the single +\fBLinux\-PAM\fR +configuration file +/etc/pam\&.conf\&. Alternatively, the configuration can be set by individual configuration files located in the +/etc/pam\&.d/ +directory\&. The presence of this directory will cause +\fBLinux\-PAM\fR +to +\fIignore\fR +/etc/pam\&.conf\&. +.PP +Vendor\-supplied PAM configuration files might be installed in the system directory +/usr/lib/pam\&.d/ +or a configurable vendor specific directory instead of the machine configuration directory +/etc/pam\&.d/\&. If no machine configuration file is found, the vendor\-supplied file is used\&. All files in +/etc/pam\&.d/ +override files with the same name in other directories\&. +.PP +From the point of view of the system administrator, for whom this manual is provided, it is not of primary importance to understand the internal behavior of the +\fBLinux\-PAM\fR +library\&. The important point to recognize is that the configuration file(s) +\fIdefine\fR +the connection between applications +(\fBservices\fR) and the pluggable authentication modules +(\fBPAM\fRs) that perform the actual authentication tasks\&. +.PP +\fBLinux\-PAM\fR +separates the tasks of +\fIauthentication\fR +into four independent management groups: +\fBaccount\fR +management; +\fBauth\fRentication management; +\fBpassword\fR +management; and +\fBsession\fR +management\&. (We highlight the abbreviations used for these groups in the configuration file\&.) +.PP +Simply put, these groups take care of different aspects of a typical user\*(Aqs request for a restricted service: +.PP +\fBaccount\fR +\- provide account verification types of service: has the user\*(Aqs password expired?; is this user permitted access to the requested service? +.PP +\fBauth\fRentication \- authenticate a user and set up user credentials\&. Typically this is via some challenge\-response request that the user must satisfy: if you are who you claim to be please enter your password\&. Not all authentications are of this type, there exist hardware based authentication schemes (such as the use of smart\-cards and biometric devices), with suitable modules, these may be substituted seamlessly for more standard approaches to authentication \- such is the flexibility of +\fBLinux\-PAM\fR\&. +.PP +\fBpassword\fR +\- this group\*(Aqs responsibility is the task of updating authentication mechanisms\&. Typically, such services are strongly coupled to those of the +\fBauth\fR +group\&. Some authentication mechanisms lend themselves well to being updated with such a function\&. Standard UN*X password\-based access is the obvious example: please enter a replacement password\&. +.PP +\fBsession\fR +\- this group of tasks cover things that should be done prior to a service being given and after it is withdrawn\&. Such tasks include the maintenance of audit trails and the mounting of the user\*(Aqs home directory\&. The +\fBsession\fR +management group is important as it provides both an opening and closing hook for modules to affect the services available to a user\&. +.SH "FILES" +.PP +/etc/pam\&.conf +.RS 4 +the configuration file +.RE +.PP +/etc/pam\&.d +.RS 4 +the +\fBLinux\-PAM\fR +configuration directory\&. Generally, if this directory is present, the +/etc/pam\&.conf +file is ignored\&. +.RE +.PP +/usr/lib/pam\&.d +.RS 4 +the +\fBLinux\-PAM\fR +vendor configuration directory\&. Files in +/etc/pam\&.d +override files with the same name in this directory\&. +.RE +.PP +<vendordir>/pam\&.d +.RS 4 +the +\fBLinux\-PAM\fR +vendor configuration directory\&. Files in +/etc/pam\&.d +and +/usr/lib/pam\&.d +override files with the same name in this directory\&. Only available if Linux\-PAM was compiled with vendordir enabled\&. +.RE +.SH "ERRORS" +.PP +Typically errors generated by the +\fBLinux\-PAM\fR +system of libraries, will be written to +\fBsyslog\fR(3)\&. +.SH "CONFORMING TO" +.PP +DCE\-RFC 86\&.0, October 1995\&. Contains additional features, but remains backwardly compatible with this RFC\&. +.SH "SEE ALSO" +.PP +\fBpam\fR(3), +\fBpam_authenticate\fR(3), +\fBpam_sm_setcred\fR(3), +\fBpam_strerror\fR(3), +\fBPAM\fR(8) diff --git a/doc/man/misc_conv.3 b/doc/man/misc_conv.3 new file mode 100644 index 0000000..8049e57 --- /dev/null +++ b/doc/man/misc_conv.3 @@ -0,0 +1,127 @@ +'\" t +.\" Title: misc_conv +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "MISC_CONV" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +misc_conv \- text based conversation function +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_misc\&.h> +.fi +.ft +.HP \w'int\ misc_conv('u +.BI "int misc_conv(int\ " "num_msg" ", const\ struct\ pam_message\ **" "msgm" ", struct\ pam_response\ **" "response" ", void\ *" "appdata_ptr" ");" +.SH "DESCRIPTION" +.PP +The +\fBmisc_conv\fR +function is part of +\fBlibpam_misc\fR +and not of the standard +\fBlibpam\fR +library\&. This function will prompt the user with the appropriate comments and obtain the appropriate inputs as directed by authentication modules\&. +.PP +In addition to simply slotting into the appropriate +\fBpam_conv\fR(3), this function provides some time\-out facilities\&. The function exports five variables that can be used by an application programmer to limit the amount of time this conversation function will spend waiting for the user to type something\&. The five variables are as follows: +.PP +\fBtime_t\fR \fIpam_misc_conv_warn_time\fR; +.RS 4 +This variable contains the +\fItime\fR +(as returned by +\fBtime\fR(2)) that the user should be first warned that the clock is ticking\&. By default it has the value +0, which indicates that no such warning will be given\&. The application may set its value to sometime in the future, but this should be done prior to passing control to the +\fILinux\-PAM\fR +library\&. +.RE +.PP +\fBconst char *\fR\fIpam_misc_conv_warn_line\fR; +.RS 4 +Used in conjunction with +\fIpam_misc_conv_warn_time\fR, this variable is a pointer to the string that will be displayed when it becomes time to warn the user that the timeout is approaching\&. Its default value is a translated version of +\(lq\&.\&.\&.Time is running out\&.\&.\&.\(rq, but this can be changed by the application prior to passing control to +\fILinux\-PAM\fR\&. +.RE +.PP +\fBtime_t\fR \fIpam_misc_conv_die_time\fR; +.RS 4 +This variable contains the +\fItime\fR +(as returned by +\fBtime\fR(2)) that the will time out\&. By default it has the value +0, which indicates that the conversation function will not timeout\&. The application may set its value to sometime in the future, but this should be done prior to passing control to the +\fILinux\-PAM\fR +library\&. +.RE +.PP +\fBconst char *\fR\fIpam_misc_conv_die_line\fR; +.RS 4 +Used in conjunction with +\fIpam_misc_conv_die_time\fR, this variable is a pointer to the string that will be displayed when the conversation times out\&. Its default value is a translated version of +\(lq\&.\&.\&.Sorry, your time is up!\(rq, but this can be changed by the application prior to passing control to +\fILinux\-PAM\fR\&. +.RE +.PP +\fBint\fR \fIpam_misc_conv_died\fR; +.RS 4 +Following a return from the +\fILinux\-PAM\fR +library, the value of this variable indicates whether the conversation has timed out\&. A value of +1 +indicates the time\-out occurred\&. +.RE +.PP +The following two function pointers are available for supporting binary prompts in the conversation function\&. They are optimized for the current incarnation of the +\fBlibpamc\fR +library and are subject to change\&. +.PP +\fBint\fR \fI(*pam_binary_handler_fn)\fR(\fBvoid *\fR\fIappdata\fR, \fBpamc_bp_t *\fR\fIprompt_p\fR); +.RS 4 +This function pointer is initialized to +NULL +but can be filled with a function that provides machine\-machine (hidden) message exchange\&. It is intended for use with hidden authentication protocols such as RSA or Diffie\-Hellman key exchanges\&. (This is still under development\&.) +.RE +.PP +\fBint\fR \fI(*pam_binary_handler_free)\fR(\fBvoid *\fR\fIappdata\fR, \fBpamc_bp_t *\fR\fIdelete_me\fR); +.RS 4 +This function pointer is initialized to +\fBPAM_BP_RENEW(delete_me, 0, 0)\fR, but can be redefined as desired by the application\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_conv\fR(3), +\fBpam\fR(8) +.SH "STANDARDS" +.PP +The +\fBmisc_conv\fR +function is part of the +\fBlibpam_misc\fR +Library and not defined in any standard\&. diff --git a/doc/man/misc_conv.3.xml b/doc/man/misc_conv.3.xml new file mode 100644 index 0000000..d902ba8 --- /dev/null +++ b/doc/man/misc_conv.3.xml @@ -0,0 +1,188 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id="misc_conv"> + + <refmeta> + <refentrytitle>misc_conv</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="misc_conv-name"> + <refname>misc_conv</refname> + <refpurpose>text based conversation function</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id="misc_conv-synopsis"> + <funcsynopsisinfo>#include <security/pam_misc.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>misc_conv</function></funcdef> + <paramdef>int <parameter>num_msg</parameter></paramdef> + <paramdef>const struct pam_message **<parameter>msgm</parameter></paramdef> + <paramdef>struct pam_response **<parameter>response</parameter></paramdef> + <paramdef>void *<parameter>appdata_ptr</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + <refsect1 id='misc_conv-description'> + <title>DESCRIPTION</title> + <para> + The <function>misc_conv</function> function is part of + <command>libpam_misc</command> and not of the standard + <command>libpam</command> library. This function will prompt + the user with the appropriate comments and obtain the appropriate + inputs as directed by authentication modules. + </para> + <para> + In addition to simply slotting into the appropriate <citerefentry> + <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, this function provides some time-out facilities. + The function exports five variables that can be used by an + application programmer to limit the amount of time this conversation + function will spend waiting for the user to type something. The + five variables are as follows: + </para> + <variablelist> + <varlistentry> + <term><type>time_t</type> <varname>pam_misc_conv_warn_time</varname>;</term> + <listitem> + <para> + This variable contains the <emphasis>time</emphasis> (as + returned by <citerefentry> + <refentrytitle>time</refentrytitle><manvolnum>2</manvolnum> + </citerefentry>) that the user should be first warned that + the clock is ticking. By default it has the value + <returnvalue>0</returnvalue>, which indicates that no such + warning will be given. The application may set its value to + sometime in the future, but this should be done prior to + passing control to the <emphasis>Linux-PAM</emphasis> library. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><type>const char *</type><varname>pam_misc_conv_warn_line</varname>;</term> + <listitem> + <para> + Used in conjunction with + <varname>pam_misc_conv_warn_time</varname>, this variable is + a pointer to the string that will be displayed when it becomes + time to warn the user that the timeout is approaching. Its + default value is a translated version of + <quote>...Time is running out...</quote>, but this can be + changed by the application prior to passing control to + <emphasis>Linux-PAM</emphasis>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><type>time_t</type> <varname>pam_misc_conv_die_time</varname>;</term> + <listitem> + <para> + This variable contains the <emphasis>time</emphasis> (as + returned by <citerefentry> + <refentrytitle>time</refentrytitle><manvolnum>2</manvolnum> + </citerefentry>) that the will time out. By default it has + the value <returnvalue>0</returnvalue>, which indicates that + the conversation function will not timeout. The application + may set its value to sometime in the future, but this should + be done prior to passing control to the + <emphasis>Linux-PAM</emphasis> library. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><type>const char *</type><varname>pam_misc_conv_die_line</varname>;</term> + <listitem> + <para> + Used in conjunction with + <varname>pam_misc_conv_die_time</varname>, this variable is + a pointer to the string that will be displayed when the + conversation times out. Its default value is a translated + version of + <quote>...Sorry, your time is up!</quote>, but this can be + changed by the application prior to passing control to + <emphasis>Linux-PAM</emphasis>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><type>int</type> <varname>pam_misc_conv_died</varname>;</term> + <listitem> + <para> + Following a return from the <emphasis>Linux-PAM</emphasis> + library, the value of this variable indicates whether the + conversation has timed out. A value of + <returnvalue>1</returnvalue> indicates the time-out occurred. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + The following two function pointers are available for supporting + binary prompts in the conversation function. They are optimized + for the current incarnation of the <command>libpamc</command> + library and are subject to change. + </para> + <variablelist> + <varlistentry> + <term> + <type>int</type> <varname>(*pam_binary_handler_fn)</varname>(<type>void *</type><varname>appdata</varname>, <type>pamc_bp_t *</type><varname>prompt_p</varname>); + </term> + <listitem> + <para> + This function pointer is initialized to + <returnvalue>NULL</returnvalue> but can be filled with a + function that provides machine-machine (hidden) message + exchange. It is intended for use with hidden authentication + protocols such as RSA or Diffie-Hellman key exchanges. + (This is still under development.) + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <type>int</type> <varname>(*pam_binary_handler_free)</varname>(<type>void *</type><varname>appdata</varname>, <type>pamc_bp_t *</type><varname>delete_me</varname>); + </term> + <listitem> + <para> + This function pointer is initialized to + <function>PAM_BP_RENEW(delete_me, 0, 0)</function>, but can be + redefined as desired by the application. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='misc_conv-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='misc_conv-standards'> + <title>STANDARDS</title> + <para> + The <function>misc_conv</function> function is part of the + <command>libpam_misc</command> Library and not defined in any + standard. + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam.3 b/doc/man/pam.3 new file mode 100644 index 0000000..63f3e76 --- /dev/null +++ b/doc/man/pam.3 @@ -0,0 +1,302 @@ +'\" t +.\" Title: pam +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam \- Pluggable Authentication Modules Library +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.sp +.ft B +.nf +#include <security/pam_modules\&.h> +.fi +.ft +.sp +.ft B +.nf +#include <security/pam_ext\&.h> +.fi +.ft +.SH "DESCRIPTION" +.PP +\fBPAM\fR +is a system of libraries that handle the authentication tasks of applications (services) on the system\&. The library provides a stable general interface (Application Programming Interface \- API) that privilege granting programs (such as +\fBlogin\fR(1) +and +\fBsu\fR(1)) defer to to perform standard authentication tasks\&. +.SS "Initialization and Cleanup" +.PP +The +\fBpam_start\fR(3) +function creates the PAM context and initiates the PAM transaction\&. It is the first of the PAM functions that needs to be called by an application\&. The transaction state is contained entirely within the structure identified by this handle, so it is possible to have multiple transactions in parallel\&. But it is not possible to use the same handle for different transactions, a new one is needed for every new context\&. +.PP +The +\fBpam_end\fR(3) +function terminates the PAM transaction and is the last function an application should call in the PAM context\&. Upon return the handle pamh is no longer valid and all memory associated with it will be invalid\&. It can be called at any time to terminate a PAM transaction\&. +.SS "Authentication" +.PP +The +\fBpam_authenticate\fR(3) +function is used to authenticate the user\&. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print\&. +.PP +The +\fBpam_setcred\fR(3) +function manages the user\*(Aqs credentials\&. +.SS "Account Management" +.PP +The +\fBpam_acct_mgmt\fR(3) +function is used to determine if the user\*(Aqs account is valid\&. It checks for authentication token and account expiration and verifies access restrictions\&. It is typically called after the user has been authenticated\&. +.SS "Password Management" +.PP +The +\fBpam_chauthtok\fR(3) +function is used to change the authentication token for a given user on request or because the token has expired\&. +.SS "Session Management" +.PP +The +\fBpam_open_session\fR(3) +function sets up a user session for a previously successful authenticated user\&. The session should later be terminated with a call to +\fBpam_close_session\fR(3)\&. +.SS "Conversation" +.PP +The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application\&. This callback is specified by the +\fIstruct pam_conv\fR +passed to +\fBpam_start\fR(3) +at the start of the transaction\&. See +\fBpam_conv\fR(3) +for details\&. +.SS "Data Objects" +.PP +The +\fBpam_set_item\fR(3) +and +\fBpam_get_item\fR(3) +functions allows applications and PAM service modules to set and retrieve PAM information\&. +.PP +The +\fBpam_get_user\fR(3) +function is the preferred method to obtain the username\&. +.PP +The +\fBpam_set_data\fR(3) +and +\fBpam_get_data\fR(3) +functions allows PAM service modules to set and retrieve free\-form data from one invocation to another\&. +.SS "Environment and Error Management" +.PP +The +\fBpam_putenv\fR(3), +\fBpam_getenv\fR(3) +and +\fBpam_getenvlist\fR(3) +functions are for maintaining a set of private environment variables\&. +.PP +The +\fBpam_strerror\fR(3) +function returns a pointer to a string describing the given PAM error code\&. +.SH "RETURN VALUES" +.PP +The following return codes are known by PAM: +.PP +PAM_ABORT +.RS 4 +Critical error, immediate abort\&. +.RE +.PP +PAM_ACCT_EXPIRED +.RS 4 +User account has expired\&. +.RE +.PP +PAM_AUTHINFO_UNAVAIL +.RS 4 +Authentication service cannot retrieve authentication info\&. +.RE +.PP +PAM_AUTHTOK_DISABLE_AGING +.RS 4 +Authentication token aging disabled\&. +.RE +.PP +PAM_AUTHTOK_ERR +.RS 4 +Authentication token manipulation error\&. +.RE +.PP +PAM_AUTHTOK_EXPIRED +.RS 4 +Authentication token expired\&. +.RE +.PP +PAM_AUTHTOK_LOCK_BUSY +.RS 4 +Authentication token lock busy\&. +.RE +.PP +PAM_AUTHTOK_RECOVERY_ERR +.RS 4 +Authentication information cannot be recovered\&. +.RE +.PP +PAM_AUTH_ERR +.RS 4 +Authentication failure\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_CONV_ERR +.RS 4 +Conversation failure\&. +.RE +.PP +PAM_CRED_ERR +.RS 4 +Failure setting user credentials\&. +.RE +.PP +PAM_CRED_EXPIRED +.RS 4 +User credentials expired\&. +.RE +.PP +PAM_CRED_INSUFFICIENT +.RS 4 +Insufficient credentials to access authentication data\&. +.RE +.PP +PAM_CRED_UNAVAIL +.RS 4 +Authentication service cannot retrieve user credentials\&. +.RE +.PP +PAM_IGNORE +.RS 4 +The return value should be ignored by PAM dispatch\&. +.RE +.PP +PAM_MAXTRIES +.RS 4 +Have exhausted maximum number of retries for service\&. +.RE +.PP +PAM_MODULE_UNKNOWN +.RS 4 +Module is unknown\&. +.RE +.PP +PAM_NEW_AUTHTOK_REQD +.RS 4 +Authentication token is no longer valid; new one required\&. +.RE +.PP +PAM_NO_MODULE_DATA +.RS 4 +No module specific data is present\&. +.RE +.PP +PAM_OPEN_ERR +.RS 4 +Failed to load module\&. +.RE +.PP +PAM_PERM_DENIED +.RS 4 +Permission denied\&. +.RE +.PP +PAM_SERVICE_ERR +.RS 4 +Error in service module\&. +.RE +.PP +PAM_SESSION_ERR +.RS 4 +Cannot make/remove an entry for the specified session\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Success\&. +.RE +.PP +PAM_SYMBOL_ERR +.RS 4 +Symbol not found\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +System error\&. +.RE +.PP +PAM_TRY_AGAIN +.RS 4 +Failed preliminary check by password service\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +User not known to the underlying authentication module\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_acct_mgmt\fR(3), +\fBpam_authenticate\fR(3), +\fBpam_chauthtok\fR(3), +\fBpam_close_session\fR(3), +\fBpam_conv\fR(3), +\fBpam_end\fR(3), +\fBpam_get_data\fR(3), +\fBpam_getenv\fR(3), +\fBpam_getenvlist\fR(3), +\fBpam_get_item\fR(3), +\fBpam_get_user\fR(3), +\fBpam_open_session\fR(3), +\fBpam_putenv\fR(3), +\fBpam_set_data\fR(3), +\fBpam_set_item\fR(3), +\fBpam_setcred\fR(3), +\fBpam_start\fR(3), +\fBpam_strerror\fR(3) +.SH "NOTES" +.PP +The +\fIlibpam\fR +interfaces are only thread\-safe if each thread within the multithreaded application uses its own PAM handle\&. diff --git a/doc/man/pam.3.xml b/doc/man/pam.3.xml new file mode 100644 index 0000000..0b1efcc --- /dev/null +++ b/doc/man/pam.3.xml @@ -0,0 +1,439 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<refentry id='pam3'> + + <refmeta> + <refentrytitle>pam</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam3-name'> + <refname>pam</refname> + <refpurpose>Pluggable Authentication Modules Library</refpurpose> + </refnamediv> + + <refsynopsisdiv id='pam3-synopsis'> + <funcsynopsis> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> + <funcsynopsisinfo>#include <security/pam_ext.h></funcsynopsisinfo> + </funcsynopsis> + </refsynopsisdiv> + + <refsect1 id='pam3-description'> + <title>DESCRIPTION</title> + <para> + <emphasis remap='B'>PAM</emphasis> is a system of libraries + that handle the authentication tasks of applications (services) + on the system. The library provides a stable general interface + (Application Programming Interface - API) that privilege granting + programs (such as + <citerefentry> + <refentrytitle>login</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> and <citerefentry> + <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum> + </citerefentry>) + defer to to perform standard authentication tasks. + </para> + + <refsect2 id='pam3-initialization_and_cleanup'> + <title>Initialization and Cleanup</title> + <para> + The + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function creates the PAM context and initiates the + PAM transaction. It is the first of the PAM functions that needs to + be called by an application. The transaction state is contained + entirely within the structure identified by this handle, so it is + possible to have multiple transactions in parallel. But it is not + possible to use the same handle for different transactions, a new + one is needed for every new context. + </para> + <para> + The + <citerefentry> + <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function terminates the PAM transaction and is the last + function an application should call in the PAM context. Upon return + the handle pamh is no longer valid and all memory associated with it + will be invalid. It can be called at any time to terminate a PAM + transaction. + </para> + </refsect2> + + <refsect2 id='pam3-authentication'> + <title>Authentication</title> + <para> + The + <citerefentry> + <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + function is used to + authenticate the user. The user is required to provide an + authentication token depending upon the authentication service, + usually this is a password, but could also be a finger print. + </para> + <para> + The + <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + function manages the user's credentials. + </para> + </refsect2> + + <refsect2 id='pam3-account_management'> + <title>Account Management</title> + <para> + The + <citerefentry> + <refentrytitle>pam_acct_mgmt</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function is used to determine if the user's account is + valid. It checks for authentication token and account expiration and + verifies access restrictions. It is typically called after the user + has been authenticated. + </para> + </refsect2> + + <refsect2 id='pam3-password_management'> + <title>Password Management</title> + <para> + The + <citerefentry> + <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function is used to change the authentication token + for a given user on request or because the token has expired. + </para> + </refsect2> + + <refsect2 id='pam3-session_management'> + <title>Session Management</title> + <para> + The + <citerefentry> + <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function sets up a user session for a previously + successful authenticated user. The session should later be terminated + with a call to + <citerefentry> + <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </refsect2> + + <refsect2 id='pam3-conversation'> + <title>Conversation</title> + <para> + The PAM library uses an application-defined callback to allow + a direct communication between a loaded module and the application. + This callback is specified by the + <emphasis>struct pam_conv</emphasis> passed to + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> at the start of the transaction. See + <citerefentry> + <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + for details. + </para> + </refsect2> + + <refsect2 id='pam3-data'> + <title>Data Objects</title> + <para> + The + <citerefentry> + <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + and + <citerefentry> + <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + functions allows applications and PAM service modules to set and + retrieve PAM information. + </para> + <para> + The + <citerefentry> + <refentrytitle>pam_get_user</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + function is the preferred method to obtain the username. + </para> + <para> + The + <citerefentry> + <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + and + <citerefentry> + <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + functions allows PAM service modules to set and retrieve free-form + data from one invocation to another. + </para> + </refsect2> + + <refsect2 id='pam3-miscellaneous'> + <title>Environment and Error Management</title> + <para> + The + <citerefentry> + <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_getenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> and + <citerefentry> + <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + functions are for maintaining a set of private environment variables. + </para> + + <para> + The + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function returns a pointer to a string describing the + given PAM error code. + </para> + </refsect2> + </refsect1> + + <refsect1 id='pam3-return_values'> + <title>RETURN VALUES</title> + <para> + The following return codes are known by PAM: + </para> + <variablelist> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para>Critical error, immediate abort.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_ACCT_EXPIRED</term> + <listitem> + <para>User account has expired.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHINFO_UNAVAIL</term> + <listitem> + <para> + Authentication service cannot retrieve authentication info. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_DISABLE_AGING</term> + <listitem> + <para>Authentication token aging disabled.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_ERR</term> + <listitem> + <para>Authentication token manipulation error.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_EXPIRED</term> + <listitem> + <para>Authentication token expired.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_LOCK_BUSY</term> + <listitem> + <para>Authentication token lock busy.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_RECOVERY_ERR</term> + <listitem> + <para>Authentication information cannot be recovered.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para>Authentication failure.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para>Memory buffer error.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para>Conversation failure.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_ERR</term> + <listitem> + <para>Failure setting user credentials.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_EXPIRED</term> + <listitem> + <para>User credentials expired.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_INSUFFICIENT</term> + <listitem> + <para>Insufficient credentials to access authentication data.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_UNAVAIL</term> + <listitem> + <para>Authentication service cannot retrieve user credentials.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para>The return value should be ignored by PAM dispatch.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_MAXTRIES</term> + <listitem> + <para>Have exhausted maximum number of retries for service.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_MODULE_UNKNOWN</term> + <listitem> + <para>Module is unknown.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_NEW_AUTHTOK_REQD</term> + <listitem> + <para> + Authentication token is no longer valid; new one required. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_NO_MODULE_DATA</term> + <listitem> + <para>No module specific data is present.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_OPEN_ERR</term> + <listitem> + <para>Failed to load module.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para>Permission denied.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para>Error in service module.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para>Cannot make/remove an entry for the specified session.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para>Success.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYMBOL_ERR</term> + <listitem> + <para>Symbol not found.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para>System error.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_TRY_AGAIN</term> + <listitem> + <para>Failed preliminary check by password service.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para>User not known to the underlying authentication module.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='see_also'><title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_acct_mgmt</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_getenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_get_user</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + </para> + </refsect1> + <refsect1 id='pam3-notes'><title>NOTES</title> + <para> + The <emphasis>libpam</emphasis> interfaces are only thread-safe if each + thread within the multithreaded application uses its own PAM handle. + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam.8 b/doc/man/pam.8 new file mode 100644 index 0000000..da9773b --- /dev/null +++ b/doc/man/pam.8 @@ -0,0 +1 @@ +.so man8/PAM.8 diff --git a/doc/man/pam.8.xml b/doc/man/pam.8.xml new file mode 100644 index 0000000..464af0e --- /dev/null +++ b/doc/man/pam.8.xml @@ -0,0 +1,216 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam8'> + + <refmeta> + <refentrytitle>pam</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam8-name'> + <refname>PAM</refname> + <refname>pam</refname> + <refpurpose>Pluggable Authentication Modules for Linux</refpurpose> + </refnamediv> + + <refsect1 id='pam8-description'> + <title>DESCRIPTION</title> + <para> + This manual is intended to offer a quick introduction to + <emphasis remap='B'>Linux-PAM</emphasis>. For more information + the reader is directed to the + <emphasis remap='B'>Linux-PAM system administrators' guide</emphasis>. + </para> + + <para> + <emphasis remap='B'>Linux-PAM</emphasis> is a system of libraries + that handle the authentication tasks of applications (services) on + the system. The library provides a stable general interface + (Application Programming Interface - API) that privilege granting + programs (such as <citerefentry> + <refentrytitle>login</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> and <citerefentry> + <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum> + </citerefentry>) defer to to perform standard authentication tasks. + </para> + + <para> + The principal feature of the PAM approach is that the nature of the + authentication is dynamically configurable. In other words, the + system administrator is free to choose how individual + service-providing applications will authenticate users. This dynamic + configuration is set by the contents of the single + <emphasis remap='B'>Linux-PAM</emphasis> configuration file + <filename>/etc/pam.conf</filename>. Alternatively, the configuration + can be set by individual configuration files located in the + <filename>/etc/pam.d/</filename> directory. The presence of this + directory will cause <emphasis remap='B'>Linux-PAM</emphasis> to + <emphasis remap='I'>ignore</emphasis> <filename>/etc/pam.conf</filename>. + </para> + + <para> + Vendor-supplied PAM configuration files might be installed in + the system directory <filename>/usr/lib/pam.d/</filename> or + a configurable vendor specific directory instead + of the machine configuration directory <filename>/etc/pam.d/</filename>. + If no machine configuration file is found, the vendor-supplied file + is used. All files in <filename>/etc/pam.d/</filename> override + files with the same name in other directories. + </para> + +<para>From the point of view of the system administrator, for whom this +manual is provided, it is not of primary importance to understand the +internal behavior of the +<emphasis remap='B'>Linux-PAM</emphasis> +library. The important point to recognize is that the configuration +file(s) +<emphasis remap='I'>define</emphasis> +the connection between applications +<emphasis remap='B'></emphasis>(<emphasis remap='B'>services</emphasis>) +and the pluggable authentication modules +<emphasis remap='B'></emphasis>(<emphasis remap='B'>PAM</emphasis>s) +that perform the actual authentication tasks.</para> + + +<para><emphasis remap='B'>Linux-PAM</emphasis> +separates the tasks of +<emphasis remap='I'>authentication</emphasis> +into four independent management groups: +<emphasis remap='B'>account</emphasis> management; +<emphasis remap='B'>auth</emphasis>entication management; +<emphasis remap='B'>password</emphasis> management; +and +<emphasis remap='B'>session</emphasis> management. +(We highlight the abbreviations used for these groups in the +configuration file.)</para> + + +<para>Simply put, these groups take care of different aspects of a typical +user's request for a restricted service:</para> + + +<para><emphasis remap='B'>account</emphasis> - +provide account verification types of service: has the user's password +expired?; is this user permitted access to the requested service?</para> + +<!-- .br --> +<para><emphasis remap='B'>auth</emphasis>entication - +authenticate a user and set up user credentials. Typically this is via +some challenge-response request that the user must satisfy: if you are +who you claim to be please enter your password. Not all authentications +are of this type, there exist hardware based authentication schemes +(such as the use of smart-cards and biometric devices), with suitable +modules, these may be substituted seamlessly for more standard +approaches to authentication - such is the flexibility of +<emphasis remap='B'>Linux-PAM</emphasis>.</para> + +<!-- .br --> +<para><emphasis remap='B'>password</emphasis> - +this group's responsibility is the task of updating authentication +mechanisms. Typically, such services are strongly coupled to those of +the +<emphasis remap='B'>auth</emphasis> +group. Some authentication mechanisms lend themselves well to being +updated with such a function. Standard UN*X password-based access is +the obvious example: please enter a replacement password.</para> + +<!-- .br --> +<para><emphasis remap='B'>session</emphasis> - +this group of tasks cover things that should be done prior to a +service being given and after it is withdrawn. Such tasks include the +maintenance of audit trails and the mounting of the user's home +directory. The +<emphasis remap='B'>session</emphasis> +management group is important as it provides both an opening and +closing hook for modules to affect the services available to a user.</para> + +</refsect1> + + <refsect1 id='pam8-files'> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/pam.conf</filename></term> + <listitem> + <para>the configuration file</para> + </listitem> + </varlistentry> + <varlistentry> + <term><filename>/etc/pam.d</filename></term> + <listitem> + <para> + the <emphasis remap='B'>Linux-PAM</emphasis> configuration + directory. Generally, if this directory is present, the + <filename>/etc/pam.conf</filename> file is ignored. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><filename>/usr/lib/pam.d</filename></term> + <listitem> + <para> + the <emphasis remap='B'>Linux-PAM</emphasis> vendor configuration + directory. Files in <filename>/etc/pam.d</filename> override + files with the same name in this directory. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><filename>%vendordir%/pam.d</filename></term> + <listitem> + <para> + the <emphasis remap='B'>Linux-PAM</emphasis> vendor configuration + directory. Files in <filename>/etc/pam.d</filename> and + <filename>/usr/lib/pam.d</filename> override files with the same + name in this directory. Only available if Linux-PAM was compiled + with vendordir enabled. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam8-errors'> + <title>ERRORS</title> + <para> + Typically errors generated by the + <emphasis remap='B'>Linux-PAM</emphasis> system of libraries, will + be written to <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id='pam8-conforming_to'> + <title>CONFORMING TO</title> + <para> + DCE-RFC 86.0, October 1995. + Contains additional features, but remains backwardly compatible + with this RFC. + </para> + </refsect1> + + <refsect1 id='pam8-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_sm_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam.conf-desc.xml b/doc/man/pam.conf-desc.xml new file mode 100644 index 0000000..909dcdb --- /dev/null +++ b/doc/man/pam.conf-desc.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<section id='pam.conf-desc'> + <para> + When a <emphasis>PAM</emphasis> aware privilege granting application + is started, it activates its attachment to the PAM-API. This + activation performs a number of tasks, the most important being the + reading of the configuration file(s): <filename>/etc/pam.conf</filename>. + Alternatively, this may be the contents of the + <filename>/etc/pam.d/</filename> directory. The presence of this + directory will cause Linux-PAM to ignore + <filename>/etc/pam.conf</filename>. + </para> + <para> + These files list the <emphasis>PAM</emphasis>s that will do the + authentication tasks required by this service, and the appropriate + behavior of the PAM-API in the event that individual + <emphasis>PAM</emphasis>s fail. + </para> +</section> diff --git a/doc/man/pam.conf-dir.xml b/doc/man/pam.conf-dir.xml new file mode 100644 index 0000000..8446cf3 --- /dev/null +++ b/doc/man/pam.conf-dir.xml @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<section id='pam.conf-dir'> + <para> + More flexible than the single configuration file is it to + configure libpam via the contents of the + <filename>/etc/pam.d/</filename> directory. In this case the + directory is filled with files each of which has a filename + equal to a service-name (in lower-case): it is the personal + configuration file for the named service. + </para> + + <para> + The syntax of each file in /etc/pam.d/ is similar to that of the + <filename>/etc/pam.conf</filename> file and is made up of lines + of the following form: + </para> + + <programlisting> +type control module-path module-arguments + </programlisting> + + <para> + The only difference being that the service-name is not present. The + service-name is of course the name of the given configuration file. + For example, <filename>/etc/pam.d/login</filename> contains the + configuration for the <emphasis remap='B'>login</emphasis> service. + </para> +</section> diff --git a/doc/man/pam.conf-syntax.xml b/doc/man/pam.conf-syntax.xml new file mode 100644 index 0000000..5112f93 --- /dev/null +++ b/doc/man/pam.conf-syntax.xml @@ -0,0 +1,427 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<section id='pam.conf-syntax'> + <para> + The syntax of the <filename>/etc/pam.conf</filename> + configuration file is as follows. The file is made up of a list + of rules, each rule is typically placed on a single line, + but may be extended with an escaped end of line: `\<LF>'. + Comments are preceded with `#' marks and extend to the next end of + line. + </para> + + <para> + The format of each rule is a space separated collection of tokens, + the first three being case-insensitive: + </para> + + <para> + <emphasis remap='B'> service type control module-path module-arguments</emphasis> + </para> + + <para> + The syntax of files contained in the <filename>/etc/pam.d/</filename> + directory, are identical except for the absence of any + <emphasis>service</emphasis> field. In this case, the + <emphasis>service</emphasis> is the name of the file in the + <filename>/etc/pam.d/</filename> directory. This filename must be + in lower case. + </para> + + <para> + An important feature of <emphasis>PAM</emphasis>, is that a + number of rules may be <emphasis>stacked</emphasis> to combine + the services of a number of PAMs for a given authentication task. + </para> + + <para> + The <emphasis>service</emphasis> is typically the familiar name of + the corresponding application: <emphasis>login</emphasis> and + <emphasis>su</emphasis> are good examples. The + <emphasis>service</emphasis>-name, <emphasis>other</emphasis>, + is reserved for giving <emphasis>default</emphasis> rules. + Only lines that mention the current service (or in the absence + of such, the <emphasis>other</emphasis> entries) will be associated + with the given service-application. + </para> + + <para> + The <emphasis>type</emphasis> is the management group that the rule + corresponds to. It is used to specify which of the management groups + the subsequent module is to be associated with. Valid entries are: + </para> + <variablelist> + <varlistentry> + <term>account</term> + <listitem> + <para> + this module type performs non-authentication based account + management. It is typically used to restrict/permit access + to a service based on the time of day, currently available + system resources (maximum number of users) or perhaps the + location of the applicant user -- 'root' login only on the + console. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>auth</term> + <listitem> + <para> + this module type provides two aspects of authenticating + the user. Firstly, it establishes that the user is who they + claim to be, by instructing the application to prompt the user + for a password or other means of identification. Secondly, the + module can grant group membership or other privileges through + its credential granting properties. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>password</term> + <listitem> + <para> + this module type is required for updating the authentication + token associated with the user. Typically, there is one module + for each 'challenge/response' based authentication (auth) type. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>session</term> + <listitem> + <para> + this module type is associated with doing things that need to + be done for the user before/after they can be given service. + Such things include the logging of information concerning the + opening/closing of some data exchange with a user, mounting + directories, etc. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + If the <emphasis>type</emphasis> value from the list above is prepended + with a <emphasis>-</emphasis> character the PAM library will not log to + the system log if it is not possible to load the module because it is + missing in the system. This can be useful especially for modules which + are not always installed on the system and are not required for correct + authentication and authorization of the login session. + </para> + + <para> + The third field, <emphasis>control</emphasis>, indicates the + behavior of the PAM-API should the module fail to succeed in its + authentication task. There are two types of syntax for this control + field: the simple one has a single simple keyword; the more + complicated one involves a square-bracketed selection of + <emphasis>value=action</emphasis> pairs. + </para> + + <para> + For the simple (historical) syntax valid <emphasis>control</emphasis> + values are: + </para> + <variablelist> + <varlistentry> + <term>required</term> + <listitem> + <para> + failure of such a PAM will ultimately lead to the PAM-API + returning failure but only after the remaining + <emphasis>stacked</emphasis> modules (for this + <emphasis>service</emphasis> and <emphasis>type</emphasis>) + have been invoked. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>requisite</term> + <listitem> + <para> + like <emphasis>required</emphasis>, however, in the case that + such a module returns a failure, control is directly returned + to the application or to the superior PAM stack. + The return value is that associated with + the first required or requisite module to fail. Note, this flag + can be used to protect against the possibility of a user getting + the opportunity to enter a password over an unsafe medium. It is + conceivable that such behavior might inform an attacker of valid + accounts on a system. This possibility should be weighed against + the not insignificant concerns of exposing a sensitive password + in a hostile environment. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>sufficient</term> + <listitem> + <para> + if such a module succeeds and no prior <emphasis>required</emphasis> + module has failed the PAM framework returns success to + the application or to the superior PAM stack immediately without + calling any further modules in the stack. A failure of a + <emphasis>sufficient</emphasis> module is ignored and processing + of the PAM module stack continues unaffected. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>optional</term> + <listitem> + <para> + the success or failure of this module is only important if + it is the only module in the stack associated with this + <emphasis>service</emphasis>+<emphasis>type</emphasis>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>include</term> + <listitem> + <para> + include all lines of given type from the configuration + file specified as an argument to this control. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>substack</term> + <listitem> + <para> + include all lines of given type from the configuration + file specified as an argument to this control. This differs from + <emphasis>include</emphasis> in that evaluation of the + <emphasis>done</emphasis> and <emphasis>die</emphasis> actions + in a substack does not cause skipping the rest of the complete + module stack, but only of the substack. Jumps in a substack + also can not make evaluation jump out of it, and the whole substack + is counted as one module when the jump is done in a parent stack. + The <emphasis>reset</emphasis> action will reset the state of a + module stack to the state it was in as of beginning of the substack + evaluation. + </para> + </listitem> + </varlistentry> + </variablelist> + + <para> + For the more complicated syntax valid <emphasis>control</emphasis> + values have the following form: + </para> + <programlisting> + [value1=action1 value2=action2 ...] + </programlisting> + + <para> + Where <emphasis>valueN</emphasis> corresponds to the return code + from the function invoked in the module for which the line is + defined. It is selected from one of these: + <emphasis>success</emphasis>, <emphasis>open_err</emphasis>, + <emphasis>symbol_err</emphasis>, <emphasis>service_err</emphasis>, + <emphasis>system_err</emphasis>, <emphasis>buf_err</emphasis>, + <emphasis>perm_denied</emphasis>, <emphasis>auth_err</emphasis>, + <emphasis>cred_insufficient</emphasis>, + <emphasis>authinfo_unavail</emphasis>, + <emphasis>user_unknown</emphasis>, <emphasis>maxtries</emphasis>, + <emphasis>new_authtok_reqd</emphasis>, + <emphasis>acct_expired</emphasis>, <emphasis>session_err</emphasis>, + <emphasis>cred_unavail</emphasis>, <emphasis>cred_expired</emphasis>, + <emphasis>cred_err</emphasis>, <emphasis>no_module_data</emphasis>, + <emphasis>conv_err</emphasis>, <emphasis>authtok_err</emphasis>, + <emphasis>authtok_recover_err</emphasis>, + <emphasis>authtok_lock_busy</emphasis>, + <emphasis>authtok_disable_aging</emphasis>, + <emphasis>try_again</emphasis>, <emphasis>ignore</emphasis>, + <emphasis>abort</emphasis>, <emphasis>authtok_expired</emphasis>, + <emphasis>module_unknown</emphasis>, <emphasis>bad_item</emphasis>, + <emphasis>conv_again</emphasis>, <emphasis>incomplete</emphasis>, + and <emphasis>default</emphasis>. + </para> + <para> + The last of these, <emphasis>default</emphasis>, implies 'all + <emphasis>valueN</emphasis>'s not mentioned explicitly. Note, the + full list of PAM errors is available in + <filename>/usr/include/security/_pam_types.h</filename>. The + <emphasis>actionN</emphasis> can take one of the following forms: + </para> + <variablelist> + <varlistentry> + <term>ignore</term> + <listitem> + <para> + when used with a stack of modules, the module's return + status will not contribute to the return code the application + obtains. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>bad</term> + <listitem> + <para> + this action indicates that the return code should be thought + of as indicative of the module failing. If this module is the + first in the stack to fail, its status value will be used for + that of the whole stack. This is the default action for + all return codes. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>die</term> + <listitem> + <para> + equivalent to <emphasis>bad</emphasis> with the side effect of + terminating the module stack and PAM immediately returning to + the application. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ok</term> + <listitem> + <para> + this tells PAM that the administrator thinks this return code + should contribute directly to the return code of the full + stack of modules. In other words, if the former state of the + stack would lead to a return of <emphasis>PAM_SUCCESS</emphasis>, + the module's return code will override this value. Note, if + the former state of the stack holds some value that is + indicative of a modules failure, this 'ok' value will not be + used to override that value. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>done</term> + <listitem> + <para> + equivalent to <emphasis>ok</emphasis> with the side effect of + terminating the module stack and PAM immediately returning to the + application unless there was a non-ignored module failure before. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>N (an unsigned integer)</term> + <listitem> + <para> + jump over the next N modules in the stack. + Note that N equal to 0 is not allowed, + it would be treated as <emphasis>ignore</emphasis> in such case. + The side effect depends on the PAM function call: + for <emphasis>pam_authenticate</emphasis>, + <emphasis>pam_acct_mgmt</emphasis>, + <emphasis>pam_chauthtok</emphasis>, and + <emphasis>pam_open_session</emphasis> + it is <emphasis>ignore</emphasis>; + for <emphasis>pam_setcred</emphasis> and + <emphasis>pam_close_session</emphasis> it is + one of <emphasis>ignore</emphasis>, <emphasis>ok</emphasis>, + or <emphasis>bad</emphasis> depending on the module's return value. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>reset</term> + <listitem> + <para> + clear all memory of the state of the module stack and + start again with the next stacked module. + </para> + </listitem> + </varlistentry> + </variablelist> + + <para> + If a return code's action is not specifically defined via a + <emphasis>valueN</emphasis> token, and the + <emphasis>default</emphasis> value is not specified, that return + code's action defaults to <emphasis>bad</emphasis>. + </para> + + <para> + Each of the four keywords: required; requisite; sufficient; and + optional, have an equivalent expression in terms of the [...] + syntax. They are as follows: + </para> + <variablelist> + <varlistentry> + <term>required</term> + <listitem> + <para> + [success=ok new_authtok_reqd=ok ignore=ignore default=bad] + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>requisite</term> + <listitem> + <para> + [success=ok new_authtok_reqd=ok ignore=ignore default=die] + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>sufficient</term> + <listitem> + <para> + [success=done new_authtok_reqd=done default=ignore] + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>optional</term> + <listitem> + <para> + [success=ok new_authtok_reqd=ok default=ignore] + </para> + </listitem> + </varlistentry> + </variablelist> + + <para> + <emphasis>module-path</emphasis> is either the full filename + of the PAM to be used by the application (it begins with a '/'), + or a relative pathname from the default module location: + <filename>/lib/security/</filename> or + <filename>/lib64/security/</filename>, depending on the architecture. + </para> + + <para> + <emphasis>module-arguments</emphasis> are a space separated list + of tokens that can be used to modify the specific behavior of the + given PAM. Such arguments will be documented for each individual + module. Note, if you wish to include spaces in an argument, you + should surround that argument with square brackets. + </para> + <programlisting> + squid auth required pam_mysql.so user=passwd_query passwd=mada \ + db=eminence [query=select user_name from internet_service \ + where user_name='%u' and password=PASSWORD('%p') and \ + service='web_proxy'] + </programlisting> + <para> + When using this convention, you can include `[' characters + inside the string, and if you wish to include a `]' character + inside the string that will survive the argument parsing, you + should use `\]'. In other words: + </para> + <programlisting> + [..[..\]..] --> ..[..].. + </programlisting> + + <para> + Any line in (one of) the configuration file(s), that is not formatted + correctly, will generally tend (erring on the side of caution) to make + the authentication process fail. A corresponding error is written to + the system log files with a call to + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + +</section> diff --git a/doc/man/pam.conf.5 b/doc/man/pam.conf.5 new file mode 100644 index 0000000..703bcf6 --- /dev/null +++ b/doc/man/pam.conf.5 @@ -0,0 +1,382 @@ +'\" t +.\" Title: pam.conf +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam.conf, pam.d \- PAM configuration files +.SH "DESCRIPTION" +.PP +When a +\fIPAM\fR +aware privilege granting application is started, it activates its attachment to the PAM\-API\&. This activation performs a number of tasks, the most important being the reading of the configuration file(s): +/etc/pam\&.conf\&. Alternatively, this may be the contents of the +/etc/pam\&.d/ +directory\&. The presence of this directory will cause Linux\-PAM to ignore +/etc/pam\&.conf\&. +.PP +These files list the +\fIPAM\fRs that will do the authentication tasks required by this service, and the appropriate behavior of the PAM\-API in the event that individual +\fIPAM\fRs fail\&. +.PP +The syntax of the +/etc/pam\&.conf +configuration file is as follows\&. The file is made up of a list of rules, each rule is typically placed on a single line, but may be extended with an escaped end of line: `\e<LF>\*(Aq\&. Comments are preceded with `#\*(Aq marks and extend to the next end of line\&. +.PP +The format of each rule is a space separated collection of tokens, the first three being case\-insensitive: +.PP +\fB service type control module\-path module\-arguments\fR +.PP +The syntax of files contained in the +/etc/pam\&.d/ +directory, are identical except for the absence of any +\fIservice\fR +field\&. In this case, the +\fIservice\fR +is the name of the file in the +/etc/pam\&.d/ +directory\&. This filename must be in lower case\&. +.PP +An important feature of +\fIPAM\fR, is that a number of rules may be +\fIstacked\fR +to combine the services of a number of PAMs for a given authentication task\&. +.PP +The +\fIservice\fR +is typically the familiar name of the corresponding application: +\fIlogin\fR +and +\fIsu\fR +are good examples\&. The +\fIservice\fR\-name, +\fIother\fR, is reserved for giving +\fIdefault\fR +rules\&. Only lines that mention the current service (or in the absence of such, the +\fIother\fR +entries) will be associated with the given service\-application\&. +.PP +The +\fItype\fR +is the management group that the rule corresponds to\&. It is used to specify which of the management groups the subsequent module is to be associated with\&. Valid entries are: +.PP +account +.RS 4 +this module type performs non\-authentication based account management\&. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user \-\- \*(Aqroot\*(Aq login only on the console\&. +.RE +.PP +auth +.RS 4 +this module type provides two aspects of authenticating the user\&. Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification\&. Secondly, the module can grant group membership or other privileges through its credential granting properties\&. +.RE +.PP +password +.RS 4 +this module type is required for updating the authentication token associated with the user\&. Typically, there is one module for each \*(Aqchallenge/response\*(Aq based authentication (auth) type\&. +.RE +.PP +session +.RS 4 +this module type is associated with doing things that need to be done for the user before/after they can be given service\&. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc\&. +.RE +.PP +If the +\fItype\fR +value from the list above is prepended with a +\fI\-\fR +character the PAM library will not log to the system log if it is not possible to load the module because it is missing in the system\&. This can be useful especially for modules which are not always installed on the system and are not required for correct authentication and authorization of the login session\&. +.PP +The third field, +\fIcontrol\fR, indicates the behavior of the PAM\-API should the module fail to succeed in its authentication task\&. There are two types of syntax for this control field: the simple one has a single simple keyword; the more complicated one involves a square\-bracketed selection of +\fIvalue=action\fR +pairs\&. +.PP +For the simple (historical) syntax valid +\fIcontrol\fR +values are: +.PP +required +.RS 4 +failure of such a PAM will ultimately lead to the PAM\-API returning failure but only after the remaining +\fIstacked\fR +modules (for this +\fIservice\fR +and +\fItype\fR) have been invoked\&. +.RE +.PP +requisite +.RS 4 +like +\fIrequired\fR, however, in the case that such a module returns a failure, control is directly returned to the application or to the superior PAM stack\&. The return value is that associated with the first required or requisite module to fail\&. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium\&. It is conceivable that such behavior might inform an attacker of valid accounts on a system\&. This possibility should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment\&. +.RE +.PP +sufficient +.RS 4 +if such a module succeeds and no prior +\fIrequired\fR +module has failed the PAM framework returns success to the application or to the superior PAM stack immediately without calling any further modules in the stack\&. A failure of a +\fIsufficient\fR +module is ignored and processing of the PAM module stack continues unaffected\&. +.RE +.PP +optional +.RS 4 +the success or failure of this module is only important if it is the only module in the stack associated with this +\fIservice\fR+\fItype\fR\&. +.RE +.PP +include +.RS 4 +include all lines of given type from the configuration file specified as an argument to this control\&. +.RE +.PP +substack +.RS 4 +include all lines of given type from the configuration file specified as an argument to this control\&. This differs from +\fIinclude\fR +in that evaluation of the +\fIdone\fR +and +\fIdie\fR +actions in a substack does not cause skipping the rest of the complete module stack, but only of the substack\&. Jumps in a substack also can not make evaluation jump out of it, and the whole substack is counted as one module when the jump is done in a parent stack\&. The +\fIreset\fR +action will reset the state of a module stack to the state it was in as of beginning of the substack evaluation\&. +.RE +.PP +For the more complicated syntax valid +\fIcontrol\fR +values have the following form: +.sp +.if n \{\ +.RS 4 +.\} +.nf + [value1=action1 value2=action2 \&.\&.\&.] + +.fi +.if n \{\ +.RE +.\} +.PP +Where +\fIvalueN\fR +corresponds to the return code from the function invoked in the module for which the line is defined\&. It is selected from one of these: +\fIsuccess\fR, +\fIopen_err\fR, +\fIsymbol_err\fR, +\fIservice_err\fR, +\fIsystem_err\fR, +\fIbuf_err\fR, +\fIperm_denied\fR, +\fIauth_err\fR, +\fIcred_insufficient\fR, +\fIauthinfo_unavail\fR, +\fIuser_unknown\fR, +\fImaxtries\fR, +\fInew_authtok_reqd\fR, +\fIacct_expired\fR, +\fIsession_err\fR, +\fIcred_unavail\fR, +\fIcred_expired\fR, +\fIcred_err\fR, +\fIno_module_data\fR, +\fIconv_err\fR, +\fIauthtok_err\fR, +\fIauthtok_recover_err\fR, +\fIauthtok_lock_busy\fR, +\fIauthtok_disable_aging\fR, +\fItry_again\fR, +\fIignore\fR, +\fIabort\fR, +\fIauthtok_expired\fR, +\fImodule_unknown\fR, +\fIbad_item\fR, +\fIconv_again\fR, +\fIincomplete\fR, and +\fIdefault\fR\&. +.PP +The last of these, +\fIdefault\fR, implies \*(Aqall +\fIvalueN\fR\*(Aqs not mentioned explicitly\&. Note, the full list of PAM errors is available in +/usr/include/security/_pam_types\&.h\&. The +\fIactionN\fR +can take one of the following forms: +.PP +ignore +.RS 4 +when used with a stack of modules, the module\*(Aqs return status will not contribute to the return code the application obtains\&. +.RE +.PP +bad +.RS 4 +this action indicates that the return code should be thought of as indicative of the module failing\&. If this module is the first in the stack to fail, its status value will be used for that of the whole stack\&. This is the default action for all return codes\&. +.RE +.PP +die +.RS 4 +equivalent to +\fIbad\fR +with the side effect of terminating the module stack and PAM immediately returning to the application\&. +.RE +.PP +ok +.RS 4 +this tells PAM that the administrator thinks this return code should contribute directly to the return code of the full stack of modules\&. In other words, if the former state of the stack would lead to a return of +\fIPAM_SUCCESS\fR, the module\*(Aqs return code will override this value\&. Note, if the former state of the stack holds some value that is indicative of a modules failure, this \*(Aqok\*(Aq value will not be used to override that value\&. +.RE +.PP +done +.RS 4 +equivalent to +\fIok\fR +with the side effect of terminating the module stack and PAM immediately returning to the application unless there was a non\-ignored module failure before\&. +.RE +.PP +N (an unsigned integer) +.RS 4 +jump over the next N modules in the stack\&. Note that N equal to 0 is not allowed, it would be treated as +\fIignore\fR +in such case\&. The side effect depends on the PAM function call: for +\fIpam_authenticate\fR, +\fIpam_acct_mgmt\fR, +\fIpam_chauthtok\fR, and +\fIpam_open_session\fR +it is +\fIignore\fR; for +\fIpam_setcred\fR +and +\fIpam_close_session\fR +it is one of +\fIignore\fR, +\fIok\fR, or +\fIbad\fR +depending on the module\*(Aqs return value\&. +.RE +.PP +reset +.RS 4 +clear all memory of the state of the module stack and start again with the next stacked module\&. +.RE +.PP +If a return code\*(Aqs action is not specifically defined via a +\fIvalueN\fR +token, and the +\fIdefault\fR +value is not specified, that return code\*(Aqs action defaults to +\fIbad\fR\&. +.PP +Each of the four keywords: required; requisite; sufficient; and optional, have an equivalent expression in terms of the [\&.\&.\&.] syntax\&. They are as follows: +.PP +required +.RS 4 +[success=ok new_authtok_reqd=ok ignore=ignore default=bad] +.RE +.PP +requisite +.RS 4 +[success=ok new_authtok_reqd=ok ignore=ignore default=die] +.RE +.PP +sufficient +.RS 4 +[success=done new_authtok_reqd=done default=ignore] +.RE +.PP +optional +.RS 4 +[success=ok new_authtok_reqd=ok default=ignore] +.RE +.PP +\fImodule\-path\fR +is either the full filename of the PAM to be used by the application (it begins with a \*(Aq/\*(Aq), or a relative pathname from the default module location: +/lib/security/ +or +/lib64/security/, depending on the architecture\&. +.PP +\fImodule\-arguments\fR +are a space separated list of tokens that can be used to modify the specific behavior of the given PAM\&. Such arguments will be documented for each individual module\&. Note, if you wish to include spaces in an argument, you should surround that argument with square brackets\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf + squid auth required pam_mysql\&.so user=passwd_query passwd=mada \e + db=eminence [query=select user_name from internet_service \e + where user_name=\*(Aq%u\*(Aq and password=PASSWORD(\*(Aq%p\*(Aq) and \e + service=\*(Aqweb_proxy\*(Aq] + +.fi +.if n \{\ +.RE +.\} +.PP +When using this convention, you can include `[\*(Aq characters inside the string, and if you wish to include a `]\*(Aq character inside the string that will survive the argument parsing, you should use `\e]\*(Aq\&. In other words: +.sp +.if n \{\ +.RS 4 +.\} +.nf + [\&.\&.[\&.\&.\e]\&.\&.] \-\-> \&.\&.[\&.\&.]\&.\&. + +.fi +.if n \{\ +.RE +.\} +.PP +Any line in (one of) the configuration file(s), that is not formatted correctly, will generally tend (erring on the side of caution) to make the authentication process fail\&. A corresponding error is written to the system log files with a call to +\fBsyslog\fR(3)\&. +.PP +More flexible than the single configuration file is it to configure libpam via the contents of the +/etc/pam\&.d/ +directory\&. In this case the directory is filled with files each of which has a filename equal to a service\-name (in lower\-case): it is the personal configuration file for the named service\&. +.PP +The syntax of each file in /etc/pam\&.d/ is similar to that of the +/etc/pam\&.conf +file and is made up of lines of the following form: +.sp +.if n \{\ +.RS 4 +.\} +.nf +type control module\-path module\-arguments + +.fi +.if n \{\ +.RE +.\} +.PP +The only difference being that the service\-name is not present\&. The service\-name is of course the name of the given configuration file\&. For example, +/etc/pam\&.d/login +contains the configuration for the +\fBlogin\fR +service\&. +.SH "SEE ALSO" +.PP +\fBpam\fR(3), +\fBPAM\fR(8), +\fBpam_start\fR(3) diff --git a/doc/man/pam.d.5 b/doc/man/pam.d.5 new file mode 100644 index 0000000..e4606ae --- /dev/null +++ b/doc/man/pam.d.5 @@ -0,0 +1 @@ +.so man5/pam.conf.5 diff --git a/doc/man/pam_acct_mgmt.3 b/doc/man/pam_acct_mgmt.3 new file mode 100644 index 0000000..1d95505 --- /dev/null +++ b/doc/man/pam_acct_mgmt.3 @@ -0,0 +1,100 @@ +'\" t +.\" Title: pam_acct_mgmt +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_ACCT_MGMT" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_acct_mgmt \- PAM account validation management +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.HP \w'int\ pam_acct_mgmt('u +.BI "int pam_acct_mgmt(pam_handle_t\ *" "pamh" ", int\ " "flags" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_acct_mgmt\fR +function is used to determine if the user\*(Aqs account is valid\&. It checks for authentication token and account expiration and verifies access restrictions\&. It is typically called after the user has been authenticated\&. +.PP +The +\fIpamh\fR +argument is an authentication handle obtained by a prior call to pam_start()\&. The flags argument is the binary or of zero or more of the following values: +.PP +PAM_SILENT +.RS 4 +Do not emit any messages\&. +.RE +.PP +PAM_DISALLOW_NULL_AUTHTOK +.RS 4 +The PAM module service should return PAM_NEW_AUTHTOK_REQD if the user has a null authentication token\&. +.RE +.SH "RETURN VALUES" +.PP +PAM_ACCT_EXPIRED +.RS 4 +User account has expired\&. +.RE +.PP +PAM_AUTH_ERR +.RS 4 +Authentication failure\&. +.RE +.PP +PAM_NEW_AUTHTOK_REQD +.RS 4 +The user account is valid but their authentication token is +\fIexpired\fR\&. The correct response to this return\-value is to require that the user satisfies the +\fBpam_chauthtok()\fR +function before obtaining service\&. It may not be possible for some applications to do this\&. In such cases, the user should be denied access until such time as they can update their password\&. +.RE +.PP +PAM_PERM_DENIED +.RS 4 +Permission denied\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +The authentication token was successfully updated\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +User unknown to password service\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_start\fR(3), +\fBpam_authenticate\fR(3), +\fBpam_chauthtok\fR(3), +\fBpam_strerror\fR(3), +\fBpam\fR(8) diff --git a/doc/man/pam_acct_mgmt.3.xml b/doc/man/pam_acct_mgmt.3.xml new file mode 100644 index 0000000..59760d7 --- /dev/null +++ b/doc/man/pam_acct_mgmt.3.xml @@ -0,0 +1,145 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<refentry id='pam_acct_mgmt'> + <refmeta> + <refentrytitle>pam_acct_mgmt</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_acct_mgmt-name"> + <refname>pam_acct_mgmt</refname> + <refpurpose>PAM account validation management</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id='pam_acct_mgmt-synopsis'> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_acct_mgmt</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>flags</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_acct_mgmt-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_acct_mgmt</function> function is used to determine + if the user's account is valid. It checks for authentication token + and account expiration and verifies access restrictions. It is + typically called after the user has been authenticated. + </para> + <para> + The <emphasis>pamh</emphasis> argument is an authentication + handle obtained by a prior call to pam_start(). + The flags argument is the binary or of zero or more of the + following values: + </para> + <variablelist> + <varlistentry> + <term>PAM_SILENT</term> + <listitem> + <para> + Do not emit any messages. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_DISALLOW_NULL_AUTHTOK</term> + <listitem> + <para> + The PAM module service should return PAM_NEW_AUTHTOK_REQD + if the user has a null authentication token. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_acct_mgmt-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_ACCT_EXPIRED</term> + <listitem> + <para> + User account has expired. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + Authentication failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_NEW_AUTHTOK_REQD</term> + <listitem> + <para> + The user account is valid but their authentication token + is <emphasis>expired</emphasis>. The correct response to + this return-value is to require that the user satisfies + the <function>pam_chauthtok()</function> function before + obtaining service. It may not be possible for some + applications to do this. In such cases, the user should be + denied access until such time as they can update their password. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para> + Permission denied. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The authentication token was successfully updated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User unknown to password service. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_acct_mgmt-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_authenticate.3 b/doc/man/pam_authenticate.3 new file mode 100644 index 0000000..e3257bf --- /dev/null +++ b/doc/man/pam_authenticate.3 @@ -0,0 +1,110 @@ +'\" t +.\" Title: pam_authenticate +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_AUTHENTICATE" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_authenticate \- account authentication +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.HP \w'int\ pam_authenticate('u +.BI "int pam_authenticate(pam_handle_t\ *" "pamh" ", int\ " "flags" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_authenticate\fR +function is used to authenticate the user\&. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print\&. +.PP +The PAM service module may request that the user enter their username via the conversation mechanism (see +\fBpam_start\fR(3) +and +\fBpam_conv\fR(3))\&. The name of the authenticated user will be present in the PAM item PAM_USER\&. This item may be recovered with a call to +\fBpam_get_item\fR(3)\&. +.PP +The +\fIpamh\fR +argument is an authentication handle obtained by a prior call to pam_start()\&. The flags argument is the binary or of zero or more of the following values: +.PP +PAM_SILENT +.RS 4 +Do not emit any messages\&. +.RE +.PP +PAM_DISALLOW_NULL_AUTHTOK +.RS 4 +The PAM module service should return PAM_AUTH_ERR if the user does not have a registered authentication token\&. +.RE +.SH "RETURN VALUES" +.PP +PAM_ABORT +.RS 4 +The application should exit immediately after calling +\fBpam_end\fR(3) +first\&. +.RE +.PP +PAM_AUTH_ERR +.RS 4 +The user was not authenticated\&. +.RE +.PP +PAM_CRED_INSUFFICIENT +.RS 4 +For some reason the application does not have sufficient credentials to authenticate the user\&. +.RE +.PP +PAM_AUTHINFO_UNAVAIL +.RS 4 +The modules were not able to access the authentication information\&. This might be due to a network or hardware failure etc\&. +.RE +.PP +PAM_MAXTRIES +.RS 4 +One or more of the authentication modules has reached its limit of tries authenticating the user\&. Do not try again\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +The user was successfully authenticated\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +User unknown to authentication service\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_start\fR(3), +\fBpam_setcred\fR(3), +\fBpam_chauthtok\fR(3), +\fBpam_strerror\fR(3), +\fBpam\fR(8) diff --git a/doc/man/pam_authenticate.3.xml b/doc/man/pam_authenticate.3.xml new file mode 100644 index 0000000..c2004eb --- /dev/null +++ b/doc/man/pam_authenticate.3.xml @@ -0,0 +1,169 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<refentry id='pam_authenticate'> + <refmeta> + <refentrytitle>pam_authenticate</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_authenticate-name"> + <refname>pam_authenticate</refname> + <refpurpose>account authentication</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id='pam_authenticate-synopsis'> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_authenticate</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>flags</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_authenticate-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_authenticate</function> function is used to + authenticate the user. The user is required to provide an + authentication token depending upon the authentication service, + usually this is a password, but could also be a finger print. + </para> + <para> + The PAM service module may request that the user enter their + username via the conversation mechanism (see + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> and + <citerefentry> + <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>). The name of the authenticated user + will be present in the PAM item PAM_USER. This item may be + recovered with a call to + <citerefentry> + <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + <para> + The <emphasis>pamh</emphasis> argument is an authentication + handle obtained by a prior call to pam_start(). + The flags argument is the binary or of zero or more of the + following values: + </para> + <variablelist> + <varlistentry> + <term>PAM_SILENT</term> + <listitem> + <para> + Do not emit any messages. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_DISALLOW_NULL_AUTHTOK</term> + <listitem> + <para> + The PAM module service should return PAM_AUTH_ERR + if the user does not have a registered authentication token. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_authenticate-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + The application should exit immediately after calling + <citerefentry> + <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> first. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + The user was not authenticated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_INSUFFICIENT</term> + <listitem> + <para> + For some reason the application does not have sufficient + credentials to authenticate the user. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHINFO_UNAVAIL</term> + <listitem> + <para> + The modules were not able to access the authentication + information. This might be due to a network or hardware + failure etc. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_MAXTRIES</term> + <listitem> + <para> + One or more of the authentication modules has reached its + limit of tries authenticating the user. Do not try again. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The user was successfully authenticated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User unknown to authentication service. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_authenticate-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_chauthtok.3 b/doc/man/pam_chauthtok.3 new file mode 100644 index 0000000..d2e0b46 --- /dev/null +++ b/doc/man/pam_chauthtok.3 @@ -0,0 +1,109 @@ +'\" t +.\" Title: pam_chauthtok +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_CHAUTHTOK" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_chauthtok \- updating authentication tokens +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.HP \w'int\ pam_chauthtok('u +.BI "int pam_chauthtok(pam_handle_t\ *" "pamh" ", int\ " "flags" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_chauthtok\fR +function is used to change the authentication token for a given user (as indicated by the state associated with the handle +\fIpamh\fR)\&. +.PP +The +\fIpamh\fR +argument is an authentication handle obtained by a prior call to pam_start()\&. The flags argument is the binary or of zero or more of the following values: +.PP +PAM_SILENT +.RS 4 +Do not emit any messages\&. +.RE +.PP +PAM_CHANGE_EXPIRED_AUTHTOK +.RS 4 +This argument indicates to the modules that the user\*(Aqs authentication token (password) should only be changed if it has expired\&. If this argument is not passed, the application requires that all authentication tokens are to be changed\&. +.RE +.SH "RETURN VALUES" +.PP +PAM_AUTHTOK_ERR +.RS 4 +A module was unable to obtain the new authentication token\&. +.RE +.PP +PAM_AUTHTOK_RECOVERY_ERR +.RS 4 +A module was unable to obtain the old authentication token\&. +.RE +.PP +PAM_AUTHTOK_LOCK_BUSY +.RS 4 +One or more of the modules was unable to change the authentication token since it is currently locked\&. +.RE +.PP +PAM_AUTHTOK_DISABLE_AGING +.RS 4 +Authentication token aging has been disabled for at least one of the modules\&. +.RE +.PP +PAM_PERM_DENIED +.RS 4 +Permission denied\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +The authentication token was successfully updated\&. +.RE +.PP +PAM_TRY_AGAIN +.RS 4 +Not all of the modules were in a position to update the authentication token(s)\&. In such a case none of the user\*(Aqs authentication tokens are updated\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +User unknown to password service\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_start\fR(3), +\fBpam_authenticate\fR(3), +\fBpam_setcred\fR(3), +\fBpam_get_item\fR(3), +\fBpam_strerror\fR(3), +\fBpam\fR(8) diff --git a/doc/man/pam_chauthtok.3.xml b/doc/man/pam_chauthtok.3.xml new file mode 100644 index 0000000..f42bc68 --- /dev/null +++ b/doc/man/pam_chauthtok.3.xml @@ -0,0 +1,164 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<refentry id='pam_chauthtok'> + <refmeta> + <refentrytitle>pam_chauthtok</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_chauthtok-name"> + <refname>pam_chauthtok</refname> + <refpurpose>updating authentication tokens</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id='pam_chauthtok-synopsis'> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_chauthtok</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>flags</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_chauthtok-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_chauthtok</function> function is used to change the + authentication token for a given user (as indicated by the state + associated with the handle <emphasis>pamh</emphasis>). + </para> + <para> + The <emphasis>pamh</emphasis> argument is an authentication + handle obtained by a prior call to pam_start(). + The flags argument is the binary or of zero or more of the + following values: + </para> + <variablelist> + <varlistentry> + <term>PAM_SILENT</term> + <listitem> + <para> + Do not emit any messages. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CHANGE_EXPIRED_AUTHTOK</term> + <listitem> + <para> + This argument indicates to the modules that the user's + authentication token (password) should only be changed + if it has expired. + If this argument is not passed, the application requires + that all authentication tokens are to be changed. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_chauthtok-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTHTOK_ERR</term> + <listitem> + <para> + A module was unable to obtain the new authentication token. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_RECOVERY_ERR</term> + <listitem> + <para> + A module was unable to obtain the old authentication token. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_LOCK_BUSY</term> + <listitem> + <para> + One or more of the modules was unable to change the + authentication token since it is currently locked. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_DISABLE_AGING</term> + <listitem> + <para> + Authentication token aging has been disabled for at least + one of the modules. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para> + Permission denied. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The authentication token was successfully updated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_TRY_AGAIN</term> + <listitem> + <para> + Not all of the modules were in a position to update the + authentication token(s). In such a case none of the user's + authentication tokens are updated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User unknown to password service. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_chauthtok-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_close_session.3 b/doc/man/pam_close_session.3 new file mode 100644 index 0000000..3a7d56b --- /dev/null +++ b/doc/man/pam_close_session.3 @@ -0,0 +1,81 @@ +'\" t +.\" Title: pam_close_session +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_CLOSE_SESSION" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_close_session \- terminate PAM session management +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.HP \w'int\ pam_close_session('u +.BI "int pam_close_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_close_session\fR +function is used to indicate that an authenticated session has ended\&. The session should have been created with a call to +\fBpam_open_session\fR(3)\&. +.PP +It should be noted that the effective uid, +\fBgeteuid\fR(2)\&. of the application should be of sufficient privilege to perform such tasks as unmounting the user\*(Aqs home directory for example\&. +.PP +The flags argument is the binary or of zero or more of the following values: +.PP +PAM_SILENT +.RS 4 +Do not emit any messages\&. +.RE +.SH "RETURN VALUES" +.PP +PAM_ABORT +.RS 4 +General failure\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_SESSION_ERR +.RS 4 +Session failure\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Session was successful terminated\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_open_session\fR(3), +\fBpam_strerror\fR(3) diff --git a/doc/man/pam_close_session.3.xml b/doc/man/pam_close_session.3.xml new file mode 100644 index 0000000..db549bd --- /dev/null +++ b/doc/man/pam_close_session.3.xml @@ -0,0 +1,115 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_send'> + + <refmeta> + <refentrytitle>pam_close_session</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_close_session-name"> + <refname>pam_close_session</refname> + <refpurpose>terminate PAM session management</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id="pam_close_session-synopsis"> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_close_session</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>flags</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_close_session-description"> + <title>DESCRIPTION</title> + <para> + The <function>pam_close_session</function> function is used + to indicate that an authenticated session has ended. + The session should have been created with a call to + <citerefentry> + <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + <para> + It should be noted that the effective uid, + <citerefentry> + <refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum> + </citerefentry>. of the application should be of sufficient + privilege to perform such tasks as unmounting the + user's home directory for example. + </para> + <para> + The flags argument is the binary or of zero or more of the + following values: + </para> + <variablelist> + <varlistentry> + <term>PAM_SILENT</term> + <listitem> + <para> + Do not emit any messages. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_close_session-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + General failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + Session failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Session was successful terminated. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_close_session-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_conv.3 b/doc/man/pam_conv.3 new file mode 100644 index 0000000..5f65b2e --- /dev/null +++ b/doc/man/pam_conv.3 @@ -0,0 +1,177 @@ +'\" t +.\" Title: pam_conv +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_CONV" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_conv \- PAM conversation function +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.sp +.nf +struct pam_message { + int msg_style; + const char *msg; +}; + +struct pam_response { + char *resp; + int resp_retcode; +}; + +struct pam_conv { + int (*conv)(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr); + void *appdata_ptr; +}; + +.fi +.SH "DESCRIPTION" +.PP +The PAM library uses an application\-defined callback to allow a direct communication between a loaded module and the application\&. This callback is specified by the +\fIstruct pam_conv\fR +passed to +\fBpam_start\fR(3) +at the start of the transaction\&. +.PP +When a module calls the referenced conv() function, the argument +\fIappdata_ptr\fR +is set to the second element of this structure\&. +.PP +The other arguments of a call to conv() concern the information exchanged by module and application\&. That is to say, +\fInum_msg\fR +holds the length of the array of pointers, +\fImsg\fR\&. After a successful return, the pointer +\fIresp\fR +points to an array of pam_response structures, holding the application supplied text\&. The +\fIresp_retcode\fR +member of this struct is unused and should be set to zero\&. It is the caller\*(Aqs responsibility to release both, this array and the responses themselves, using +\fBfree\fR(3)\&. Note, +\fI*resp\fR +is a +\fIstruct pam_response\fR +array and not an array of pointers\&. +.PP +The number of responses is always equal to the +\fInum_msg\fR +conversation function argument\&. This does require that the response array is +\fBfree\fR(3)\*(Aqd after every call to the conversation function\&. The index of the responses corresponds directly to the prompt index in the pam_message array\&. +.PP +On failure, the conversation function should release any resources it has allocated, and return one of the predefined PAM error codes\&. +.PP +Each message can have one of four types, specified by the +\fImsg_style\fR +member of +\fIstruct pam_message\fR: +.PP +PAM_PROMPT_ECHO_OFF +.RS 4 +Obtain a string without echoing any text\&. +.RE +.PP +PAM_PROMPT_ECHO_ON +.RS 4 +Obtain a string whilst echoing text\&. +.RE +.PP +PAM_ERROR_MSG +.RS 4 +Display an error message\&. +.RE +.PP +PAM_TEXT_INFO +.RS 4 +Display some text\&. +.RE +.PP +The point of having an array of messages is that it becomes possible to pass a number of things to the application in a single call from the module\&. It can also be convenient for the application that related things come at once: a windows based application can then present a single form with many messages/prompts on at once\&. +.PP +In passing, it is worth noting that there is a discrepancy between the way Linux\-PAM handles the const struct pam_message **msg conversation function argument and the way that Solaris\*(Aq PAM (and derivatives, known to include HP/UX, are there others?) does\&. Linux\-PAM interprets the msg argument as entirely equivalent to the following prototype const struct pam_message *msg[] (which, in spirit, is consistent with the commonly used prototypes for argv argument to the familiar main() function: char **argv; and char *argv[])\&. Said another way Linux\-PAM interprets the msg argument as a pointer to an array of num_msg read only \*(Aqstruct pam_message\*(Aq pointers\&. Solaris\*(Aq PAM implementation interprets this argument as a pointer to a pointer to an array of num_msg pam_message structures\&. Fortunately, perhaps, for most module/application developers when num_msg has a value of one these two definitions are entirely equivalent\&. Unfortunately, casually raising this number to two has led to unanticipated compatibility problems\&. +.PP +For what its worth the two known module writer work\-arounds for trying to maintain source level compatibility with both PAM implementations are: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +never call the conversation function with num_msg greater than one\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +set up msg as doubly referenced so both types of conversation function can find the messages\&. That is, make +.sp +.if n \{\ +.RS 4 +.\} +.nf + msg[n] = & (( *msg )[n]) + +.fi +.if n \{\ +.RE +.\} +.RE +.SH "RETURN VALUES" +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_CONV_ERR +.RS 4 +Conversation failure\&. The application should not set +\fI*resp\fR\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Success\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_start\fR(3), +\fBpam_set_item\fR(3), +\fBpam_get_item\fR(3), +\fBpam_strerror\fR(3), +\fBpam\fR(8) diff --git a/doc/man/pam_conv.3.xml b/doc/man/pam_conv.3.xml new file mode 100644 index 0000000..5106ddf --- /dev/null +++ b/doc/man/pam_conv.3.xml @@ -0,0 +1,228 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<refentry id='pam_conv'> + <refmeta> + <refentrytitle>pam_conv</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_conv-name"> + <refname>pam_conv</refname> + <refpurpose>PAM conversation function</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id="pam_conv-synopsis"> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + </funcsynopsis> + <programlisting> +struct pam_message { + int msg_style; + const char *msg; +}; + +struct pam_response { + char *resp; + int resp_retcode; +}; + +struct pam_conv { + int (*conv)(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr); + void *appdata_ptr; +}; + </programlisting> + </refsynopsisdiv> + + <refsect1 id='pam_conv-description'> + <title>DESCRIPTION</title> + <para> + The PAM library uses an application-defined callback to allow + a direct communication between a loaded module and the application. + This callback is specified by the + <emphasis>struct pam_conv</emphasis> passed to + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + at the start of the transaction. + </para> + <para> + When a module calls the referenced conv() function, the argument + <emphasis>appdata_ptr</emphasis> is set to the second element of + this structure. + </para> + <para> + The other arguments of a call to conv() concern the information + exchanged by module and application. That is to say, + <emphasis>num_msg</emphasis> holds the length of the array of + pointers, <emphasis>msg</emphasis>. After a successful return, the + pointer <emphasis>resp</emphasis> points to an array of pam_response + structures, holding the application supplied text. The + <emphasis>resp_retcode</emphasis> member of this struct is unused and + should be set to zero. It is the caller's responsibility to release + both, this array and the responses themselves, using + <citerefentry> + <refentrytitle>free</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. Note, <emphasis>*resp</emphasis> is a + <emphasis>struct pam_response</emphasis> array and not an array of + pointers. + </para> + <para> + The number of responses is always equal to the + <emphasis>num_msg</emphasis> conversation function argument. + This does require that the response array is + <citerefentry> + <refentrytitle>free</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>'d after + every call to the conversation function. The index of the + responses corresponds directly to the prompt index in the + pam_message array. + </para> + <para> + On failure, the conversation function should release any resources + it has allocated, and return one of the predefined PAM error codes. + </para> + <para> + Each message can have one of four types, specified by the + <emphasis>msg_style</emphasis> member of + <emphasis>struct pam_message</emphasis>: + </para> + <variablelist> + <varlistentry> + <term>PAM_PROMPT_ECHO_OFF</term> + <listitem> + <para> + Obtain a string without echoing any text. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PROMPT_ECHO_ON</term> + <listitem> + <para> + Obtain a string whilst echoing text. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_ERROR_MSG</term> + <listitem> + <para> + Display an error message. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_TEXT_INFO</term> + <listitem> + <para> + Display some text. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + The point of having an array of messages is that it becomes possible + to pass a number of things to the application in a single call from + the module. It can also be convenient for the application that related + things come at once: a windows based application can then present a + single form with many messages/prompts on at once. + </para> + <para> + In passing, it is worth noting that there is a discrepancy between + the way Linux-PAM handles the const struct pam_message **msg + conversation function argument and the way that Solaris' PAM + (and derivatives, known to include HP/UX, are there others?) does. + Linux-PAM interprets the msg argument as entirely equivalent to the + following prototype + const struct pam_message *msg[] (which, in spirit, is consistent with + the commonly used prototypes for argv argument to the familiar main() + function: char **argv; and char *argv[]). Said another way Linux-PAM + interprets the msg argument as a pointer to an array of num_msg read + only 'struct pam_message' pointers. Solaris' PAM implementation + interprets this argument as a pointer to a pointer to an array of + num_msg pam_message structures. Fortunately, perhaps, for most + module/application developers when num_msg has a value of one these + two definitions are entirely equivalent. Unfortunately, casually + raising this number to two has led to unanticipated compatibility + problems. + </para> + <para> + For what its worth the two known module writer work-arounds for trying + to maintain source level compatibility with both PAM implementations + are: + </para> + <itemizedlist> + <listitem> + <para> + never call the conversation function with num_msg greater than one. + </para> + </listitem> + <listitem> + <para> + set up msg as doubly referenced so both types of conversation + function can find the messages. That is, make + </para> + <programlisting> + msg[n] = & (( *msg )[n]) + </programlisting> + </listitem> + </itemizedlist> + </refsect1> + + <refsect1 id="pam_conv-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para> + Conversation failure. The application should not set + <emphasis>*resp</emphasis>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Success. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_conv-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_end.3 b/doc/man/pam_end.3 new file mode 100644 index 0000000..be4815e --- /dev/null +++ b/doc/man/pam_end.3 @@ -0,0 +1,89 @@ +'\" t +.\" Title: pam_end +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_END" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_end \- termination of PAM transaction +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.HP \w'int\ pam_end('u +.BI "int pam_end(pam_handle_t\ *" "pamh" ", int\ " "pam_status" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_end\fR +function terminates the PAM transaction and is the last function an application should call in the PAM context\&. Upon return the handle +\fIpamh\fR +is no longer valid and all memory associated with it will be invalid\&. +.PP +The +\fIpam_status\fR +argument should be set to the value returned to the application by the last PAM library call\&. +.PP +The value taken by +\fIpam_status\fR +is used as an argument to the module specific callback function, +\fBcleanup()\fR +(See +\fBpam_set_data\fR(3) +and +\fBpam_get_data\fR(3))\&. In this way the module can be given notification of the pass/fail nature of the tear\-down process, and perform any last minute tasks that are appropriate to the module before it is unlinked\&. This argument can be logically OR\*(Aqd with +\fIPAM_DATA_SILENT\fR +to indicate that the module should not treat the call too seriously\&. It is generally used to indicate that the current closing of the library is in a +\fBfork\fR(2)ed process, and that the parent will take care of cleaning up things that exist outside of the current process space (files etc\&.)\&. +.PP +This function +\fIfree\fR\*(Aqs all memory for items associated with the +\fBpam_set_item\fR(3) +and +\fBpam_get_item\fR(3) +functions\&. Pointers associated with such objects are not valid anymore after +\fBpam_end\fR +was called\&. +.SH "RETURN VALUES" +.PP +PAM_SUCCESS +.RS 4 +Transaction was successful terminated\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +System error, for example a NULL pointer was submitted as PAM handle or the function was called by a module\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_get_data\fR(3), +\fBpam_set_data\fR(3), +\fBpam_start\fR(3), +\fBpam_strerror\fR(3) diff --git a/doc/man/pam_end.3.xml b/doc/man/pam_end.3.xml new file mode 100644 index 0000000..5febf85 --- /dev/null +++ b/doc/man/pam_end.3.xml @@ -0,0 +1,122 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_end'> + + <refmeta> + <refentrytitle>pam_end</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_end-name"> + <refname>pam_end</refname> + <refpurpose>termination of PAM transaction</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id="pam_end-synopsis"> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_end</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>pam_status</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_end-description"> + <title>DESCRIPTION</title> + <para> + The <function>pam_end</function> function terminates the PAM + transaction and is the last function an application should call + in the PAM context. Upon return the handle <emphasis>pamh</emphasis> + is no longer valid and all memory associated with it will be + invalid. + </para> + <para> + The <emphasis>pam_status</emphasis> argument should be set to + the value returned to the application by the last PAM + library call. + </para> + <para> + The value taken by <emphasis>pam_status</emphasis> is used as + an argument to the module specific callback function, + <function>cleanup()</function> + (See <citerefentry> + <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> and + <citerefentry> + <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>). In this way the module can be given notification + of the pass/fail nature of the tear-down process, and perform any + last minute tasks that are appropriate to the module before it is + unlinked. This argument can be logically OR'd with + <emphasis>PAM_DATA_SILENT</emphasis> to indicate that + the module should not treat the call too seriously. It is generally + used to indicate that the current closing of the library is in a + <citerefentry> + <refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum> + </citerefentry>ed + process, and that the parent will take care of cleaning up things + that exist outside of the current process space (files etc.). + </para> + + <para> + This function <emphasis>free</emphasis>'s all memory for items + associated with the + <citerefentry> + <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> and + <citerefentry> + <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> functions. Pointers associated with such objects + are not valid anymore after <function>pam_end</function> was called. + </para> + + </refsect1> + <refsect1 id="pam_end-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Transaction was successful terminated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + System error, for example a NULL pointer was submitted + as PAM handle or the function was called by a module. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_end-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_error.3 b/doc/man/pam_error.3 new file mode 100644 index 0000000..b28d708 --- /dev/null +++ b/doc/man/pam_error.3 @@ -0,0 +1,90 @@ +'\" t +.\" Title: pam_error +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_ERROR" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_error, pam_verror \- display error messages to the user +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_ext\&.h> +.fi +.ft +.HP \w'int\ pam_error('u +.BI "int pam_error(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "\&.\&.\&." ");" +.HP \w'int\ pam_verror('u +.BI "int pam_verror(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", va_list\ " "args" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_error\fR +function prints error messages through the conversation function to the user\&. +.PP +The +\fBpam_verror\fR +function performs the same task as +\fBpam_error()\fR +with the difference that it takes a set of arguments which have been obtained using the +\fBstdarg\fR(3) +variable argument list macros\&. +.SH "RETURN VALUES" +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_CONV_ERR +.RS 4 +Conversation failure\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Error message was displayed\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +System error\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_info\fR(3), +\fBpam_vinfo\fR(3), +\fBpam_prompt\fR(3), +\fBpam_vprompt\fR(3), +\fBpam\fR(8) +.SH "STANDARDS" +.PP +The +\fBpam_error\fR +and +\fBpam_verror\fR +functions are Linux\-PAM extensions\&. diff --git a/doc/man/pam_error.3.xml b/doc/man/pam_error.3.xml new file mode 100644 index 0000000..de167f2 --- /dev/null +++ b/doc/man/pam_error.3.xml @@ -0,0 +1,121 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id="pam_error"> + + <refmeta> + <refentrytitle>pam_error</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_error-name"> + <refname>pam_error</refname> + <refname>pam_verror</refname> + <refpurpose>display error messages to the user</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv id="pam_error-synopsis"> + <funcsynopsis> + <funcsynopsisinfo>#include <security/pam_ext.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_error</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>const char *<parameter>fmt</parameter></paramdef> + <paramdef><parameter>...</parameter></paramdef> + </funcprototype> + <funcprototype> + <funcdef>int <function>pam_verror</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>const char *<parameter>fmt</parameter></paramdef> + <paramdef>va_list <parameter>args</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + <refsect1 id='pam_error-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_error</function> function prints error messages + through the conversation function to the user. + </para> + <para> + The <function>pam_verror</function> function performs the same + task as <function>pam_error()</function> with the difference + that it takes a set of arguments which have been obtained using + the <citerefentry> + <refentrytitle>stdarg</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> variable argument list macros. + </para> + </refsect1> + <refsect1 id="pam_error-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para> + Conversation failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Error message was displayed. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + System error. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_error-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_info</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_vinfo</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_prompt</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_vprompt</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_error-standards'> + <title>STANDARDS</title> + <para> + The <function>pam_error</function> and <function>pam_verror</function> + functions are Linux-PAM extensions. + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam_fail_delay.3 b/doc/man/pam_fail_delay.3 new file mode 100644 index 0000000..bbf2c36 --- /dev/null +++ b/doc/man/pam_fail_delay.3 @@ -0,0 +1,168 @@ +'\" t +.\" Title: pam_fail_delay +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_FAIL_DELAY" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_fail_delay \- request a delay on failure +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.HP \w'int\ pam_fail_delay('u +.BI "int pam_fail_delay(pam_handle_t\ *" "pamh" ", unsigned\ int\ " "usec" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_fail_delay\fR +function provides a mechanism by which an application or module can suggest a minimum delay of +\fIusec\fR +micro\-seconds\&. The function keeps a record of the longest time requested with this function\&. Should +\fBpam_authenticate\fR(3) +fail, the failing return to the application is delayed by an amount of time randomly distributed (by up to 50%) about this longest value\&. +.PP +Independent of success, the delay time is reset to its zero default value when the PAM service module returns control to the application\&. The delay occurs +\fIafter\fR +all authentication modules have been called, but +\fIbefore\fR +control is returned to the service application\&. +.PP +When using this function the programmer should check if it is available with: +.sp +.if n \{\ +.RS 4 +.\} +.nf +#ifdef HAVE_PAM_FAIL_DELAY + \&.\&.\&.\&. +#endif /* HAVE_PAM_FAIL_DELAY */ + +.fi +.if n \{\ +.RE +.\} +.PP +For applications written with a single thread that are event driven in nature, generating this delay may be undesirable\&. Instead, the application may want to register the delay in some other way\&. For example, in a single threaded server that serves multiple authentication requests from a single event loop, the application might want to simply mark a given connection as blocked until an application timer expires\&. For this reason the delay function can be changed with the +\fIPAM_FAIL_DELAY\fR +item\&. It can be queried and set with +\fBpam_get_item\fR(3) +and +\fBpam_set_item\fR(3) +respectively\&. The value used to set it should be a function pointer of the following prototype: +.sp +.if n \{\ +.RS 4 +.\} +.nf +void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr); + +.fi +.if n \{\ +.RE +.\} +.sp +The arguments being the +\fIretval\fR +return code of the module stack, the +\fIusec_delay\fR +micro\-second delay that libpam is requesting and the +\fIappdata_ptr\fR +that the application has associated with the current +\fIpamh\fR\&. This last value was set by the application when it called +\fBpam_start\fR(3) +or explicitly with +\fBpam_set_item\fR(3)\&. +.PP +Note that the PAM_FAIL_DELAY item is set to NULL by default\&. This indicates that PAM should perform a random delay as described above when authentication fails and a delay has been suggested\&. If an application does not want the PAM library to perform any delay on authentication failure, then the application must define a custom delay function that executes no statements and set the PAM_FAIL_DELAY item to point to this function\&. +.SH "RATIONALE" +.PP +It is often possible to attack an authentication scheme by exploiting the time it takes the scheme to deny access to an applicant user\&. In cases of +\fIshort\fR +timeouts, it may prove possible to attempt a +\fIbrute force\fR +dictionary attack \-\- with an automated process, the attacker tries all possible passwords to gain access to the system\&. In other cases, where individual failures can take measurable amounts of time (indicating the nature of the failure), an attacker can obtain useful information about the authentication process\&. These latter attacks make use of procedural delays that constitute a +\fIcovert channel\fR +of useful information\&. +.PP +To minimize the effectiveness of such attacks, it is desirable to introduce a random delay in a failed authentication process\&. Preferable this value should be set by the application or a special PAM module\&. Standard PAM modules should not modify the delay unconditional\&. +.SH "EXAMPLE" +.PP +For example, a login application may require a failure delay of roughly 3 seconds\&. It will contain the following code: +.sp +.if n \{\ +.RS 4 +.\} +.nf + pam_fail_delay (pamh, 3000000 /* micro\-seconds */ ); + pam_authenticate (pamh, 0); + +.fi +.if n \{\ +.RE +.\} +.PP +if the modules do not request a delay, the failure delay will be between 1\&.5 and 4\&.5 seconds\&. +.PP +However, the modules, invoked in the authentication process, may also request delays: +.sp +.if n \{\ +.RS 4 +.\} +.nf +module #1: pam_fail_delay (pamh, 2000000); +module #2: pam_fail_delay (pamh, 4000000); + +.fi +.if n \{\ +.RE +.\} +.PP +in this case, it is the largest requested value that is used to compute the actual failed delay: here between 2 and 6 seconds\&. +.SH "RETURN VALUES" +.PP +PAM_SUCCESS +.RS 4 +Delay was successful adjusted\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +A NULL pointer was submitted as PAM handle\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_start\fR(3), +\fBpam_get_item\fR(3), +\fBpam_strerror\fR(3) +.SH "STANDARDS" +.PP +The +\fBpam_fail_delay\fR +function is an Linux\-PAM extension\&. diff --git a/doc/man/pam_fail_delay.3.xml b/doc/man/pam_fail_delay.3.xml new file mode 100644 index 0000000..53c1f89 --- /dev/null +++ b/doc/man/pam_fail_delay.3.xml @@ -0,0 +1,209 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id="pam_fail_delay"> + + <refmeta> + <refentrytitle>pam_fail_delay</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_fail_delay-name"> + <refname>pam_fail_delay</refname> + <refpurpose>request a delay on failure</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id="pam_fail_delay-synopsis"> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_fail_delay</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>unsigned int <parameter>usec</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + <refsect1 id='pam_fail_delay-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_fail_delay</function> function provides a + mechanism by which an application or module can suggest a minimum + delay of <emphasis>usec</emphasis> micro-seconds. The + function keeps a record of the longest time requested with this + function. Should + <citerefentry> + <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> fail, the failing return to the application is + delayed by an amount of time randomly distributed (by up to 50%) + about this longest value. + </para> + <para> + Independent of success, the delay time is reset to its zero + default value when the PAM service module returns control to + the application. The delay occurs <emphasis>after</emphasis> all + authentication modules have been called, but <emphasis>before</emphasis> + control is returned to the service application. + </para> + <para> + When using this function the programmer should check if it is + available with: + </para> + <programlisting> +#ifdef HAVE_PAM_FAIL_DELAY + .... +#endif /* HAVE_PAM_FAIL_DELAY */ + </programlisting> + + <para> + For applications written with a single thread that are event + driven in nature, generating this delay may be undesirable. + Instead, the application may want to register the delay in some + other way. For example, in a single threaded server that serves + multiple authentication requests from a single event loop, the + application might want to simply mark a given connection as + blocked until an application timer expires. For this reason + the delay function can be changed with the + <emphasis>PAM_FAIL_DELAY</emphasis> item. It can be queried and + set with + <citerefentry> + <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + and + <citerefentry> + <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> respectively. The value used to set it should be + a function pointer of the following prototype: + <programlisting> +void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr); + </programlisting> + The arguments being the <emphasis>retval</emphasis> return code + of the module stack, the <emphasis>usec_delay</emphasis> + micro-second delay that libpam is requesting and the + <emphasis>appdata_ptr</emphasis> that the application has associated + with the current <emphasis>pamh</emphasis>. This last value was set + by the application when it called + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> or explicitly with + <citerefentry> + <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + <para> + Note that the PAM_FAIL_DELAY item is set to NULL by default. This + indicates that PAM should perform a random delay as described + above when authentication fails and a delay has been suggested. + If an application does not want the PAM library to perform any + delay on authentication failure, then the application must define + a custom delay function that executes no statements and set + the PAM_FAIL_DELAY item to point to this function. + </para> + </refsect1> + + <refsect1 id='pam_fail_delay-rationale'> + <title>RATIONALE</title> + <para> + It is often possible to attack an authentication scheme by exploiting + the time it takes the scheme to deny access to an applicant user. In + cases of <emphasis>short</emphasis> timeouts, it may prove possible + to attempt a <emphasis>brute force</emphasis> dictionary attack -- + with an automated process, the attacker tries all possible passwords + to gain access to the system. In other cases, where individual + failures can take measurable amounts of time (indicating the nature + of the failure), an attacker can obtain useful information about the + authentication process. These latter attacks make use of procedural + delays that constitute a <emphasis>covert channel</emphasis> + of useful information. + </para> + <para> + To minimize the effectiveness of such attacks, it is desirable to + introduce a random delay in a failed authentication process. + Preferable this value should be set by the application or a special + PAM module. Standard PAM modules should not modify the delay + unconditional. + </para> + </refsect1> + + <refsect1 id='pam_fail_delay-example'> + <title>EXAMPLE</title> + <para> + For example, a login application may require a failure delay of + roughly 3 seconds. It will contain the following code: + </para> + <programlisting> + pam_fail_delay (pamh, 3000000 /* micro-seconds */ ); + pam_authenticate (pamh, 0); + </programlisting> + + <para> + if the modules do not request a delay, the failure delay will be + between 1.5 and 4.5 seconds. + </para> + + <para> + However, the modules, invoked in the authentication process, may + also request delays: + </para> + + <programlisting> +module #1: pam_fail_delay (pamh, 2000000); +module #2: pam_fail_delay (pamh, 4000000); + </programlisting> + + <para> + in this case, it is the largest requested value that is used to + compute the actual failed delay: here between 2 and 6 seconds. + </para> + </refsect1> + + <refsect1 id='pam_fail_delay-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Delay was successful adjusted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + A NULL pointer was submitted as PAM handle. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_fail_delay-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_fail_delay-standards'> + <title>STANDARDS</title> + <para> + The <function>pam_fail_delay</function> function is an + Linux-PAM extension. + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam_get_authtok.3 b/doc/man/pam_get_authtok.3 new file mode 100644 index 0000000..755dd68 --- /dev/null +++ b/doc/man/pam_get_authtok.3 @@ -0,0 +1,170 @@ +'\" t +.\" Title: pam_get_authtok +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_GET_AUTHTOK" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_get_authtok, pam_get_authtok_verify, pam_get_authtok_noverify \- get authentication token +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_ext\&.h> +.fi +.ft +.HP \w'int\ pam_get_authtok('u +.BI "int pam_get_authtok(pam_handle_t\ *" "pamh" ", int\ " "item" ", const\ char\ **" "authtok" ", const\ char\ *" "prompt" ");" +.HP \w'int\ pam_get_authtok_noverify('u +.BI "int pam_get_authtok_noverify(pam_handle_t\ *" "pamh" ", const\ char\ **" "authtok" ", const\ char\ *" "prompt" ");" +.HP \w'int\ pam_get_authtok_verify('u +.BI "int pam_get_authtok_verify(pam_handle_t\ *" "pamh" ", const\ char\ **" "authtok" ", const\ char\ *" "prompt" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_get_authtok\fR +function returns the cached authentication token, or prompts the user if no token is currently cached\&. It is intended for internal use by Linux\-PAM and PAM service modules\&. Upon successful return, +\fIauthtok\fR +contains a pointer to the value of the authentication token\&. Note, this is a pointer to the +\fIactual\fR +data and should +\fBnot\fR +be +\fIfree()\fR\*(Aqed or over\-written! +.PP +The +\fIprompt\fR +argument specifies a prompt to use if no token is cached\&. If a NULL pointer is given, +\fBpam_get_authtok\fR +uses pre\-defined prompts\&. +.PP +The following values are supported for +\fIitem\fR: +.PP +PAM_AUTHTOK +.RS 4 +Returns the current authentication token\&. Called from +\fBpam_sm_chauthtok\fR(3) +\fBpam_get_authtok\fR +will ask the user to confirm the new token by retyping it\&. If a prompt was specified, "Retype" will be used as prefix\&. +.RE +.PP +PAM_OLDAUTHTOK +.RS 4 +Returns the previous authentication token when changing authentication tokens\&. +.RE +.PP +The +\fBpam_get_authtok_noverify\fR +function can only be used for changing the password (from +\fBpam_sm_chauthtok\fR(3))\&. It returns the cached authentication token, or prompts the user if no token is currently cached\&. The difference to +\fBpam_get_authtok\fR +is, that this function does not ask a second time for the password to verify it\&. Upon successful return, +\fIauthtok\fR +contains a pointer to the value of the authentication token\&. Note, this is a pointer to the +\fIactual\fR +data and should +\fBnot\fR +be +\fIfree()\fR\*(Aqed or over\-written! +.PP +The +\fBpam_get_authtok_verify\fR +function can only be used to verify a password for mistypes gotten by +\fBpam_get_authtok_noverify\fR(3)\&. This function asks a second time for the password and verify it with the password provided by +\fIauthtok\fR +argument\&. In case of an error, the value of +\fIauthtok\fR +is undefined\&. Else this argument will point to the +\fIactual\fR +data and should +\fBnot\fR +be +\fIfree()\fR\*(Aqed or over\-written! +.SH "OPTIONS" +.PP +\fBpam_get_authtok\fR +honours the following module options: +.PP +\fBtry_first_pass\fR +.RS 4 +Before prompting the user for their password, the module first tries the previous stacked module\*(Aqs password in case that satisfies this module as well\&. +.RE +.PP +\fBuse_first_pass\fR +.RS 4 +The argument +\fBuse_first_pass\fR +forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access\&. +.RE +.PP +\fBuse_authtok\fR +.RS 4 +When password changing enforce the module to set the new token to the one provided by a previously stacked +\fBpassword\fR +module\&. If no token is available token changing will fail\&. +.RE +.PP +\fBauthtok_type=\fR\fB\fIXXX\fR\fR +.RS 4 +The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: "\&. The example word +\fIUNIX\fR +can be replaced with this option, by default it is empty\&. +.RE +.SH "RETURN VALUES" +.PP +PAM_AUTH_ERR +.RS 4 +Authentication token could not be retrieved\&. +.RE +.PP +PAM_AUTHTOK_ERR +.RS 4 +New authentication could not be retrieved\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Authentication token was successfully retrieved\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +No space for an authentication token was provided\&. +.RE +.PP +PAM_TRY_AGAIN +.RS 4 +New authentication tokens mismatch\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam\fR(8) +.SH "STANDARDS" +.PP +The +\fBpam_get_authtok\fR +function is a Linux\-PAM extensions\&. diff --git a/doc/man/pam_get_authtok.3.xml b/doc/man/pam_get_authtok.3.xml new file mode 100644 index 0000000..5d50b16 --- /dev/null +++ b/doc/man/pam_get_authtok.3.xml @@ -0,0 +1,248 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id="pam_get_authtok"> + + <refmeta> + <refentrytitle>pam_get_authtok</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_get_authtok-name"> + <refname>pam_get_authtok</refname> + <refname>pam_get_authtok_verify</refname> + <refname>pam_get_authtok_noverify</refname> + <refpurpose>get authentication token</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv id="pam_get_authtok-synopsis"> + <funcsynopsis> + <funcsynopsisinfo>#include <security/pam_ext.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_get_authtok</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>item</parameter></paramdef> + <paramdef>const char **<parameter>authtok</parameter></paramdef> + <paramdef>const char *<parameter>prompt</parameter></paramdef> + </funcprototype> + <funcprototype> + <funcdef>int <function>pam_get_authtok_noverify</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>const char **<parameter>authtok</parameter></paramdef> + <paramdef>const char *<parameter>prompt</parameter></paramdef> + </funcprototype> + <funcprototype> + <funcdef>int <function>pam_get_authtok_verify</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>const char **<parameter>authtok</parameter></paramdef> + <paramdef>const char *<parameter>prompt</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + <refsect1 id='pam_get_authtok-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_get_authtok</function> function returns the + cached authentication token, or prompts the user if no token is + currently cached. It is intended for internal use by Linux-PAM and + PAM service modules. Upon successful return, + <emphasis>authtok</emphasis> contains a pointer to the value of the + authentication token. Note, this is a pointer to the + <emphasis>actual</emphasis> data and should + <emphasis remap="B">not</emphasis> be <emphasis>free()</emphasis>'ed or + over-written! + </para> + <para> + The <emphasis>prompt</emphasis> argument specifies a prompt to use + if no token is cached. If a NULL pointer + is given, <function>pam_get_authtok</function> uses pre-defined prompts. + </para> + <para> + The following values are supported for <emphasis>item</emphasis>: + </para> + <variablelist> + <varlistentry> + <term>PAM_AUTHTOK</term> + <listitem> + <para> + Returns the current authentication token. Called from + <citerefentry><refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> <function>pam_get_authtok</function> will + ask the user to confirm the new token by retyping it. If + a prompt was specified, "Retype" will be used as prefix. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_OLDAUTHTOK</term> + <listitem> + <para> + Returns the previous authentication token when changing + authentication tokens. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + The <function>pam_get_authtok_noverify</function> function can + only be used for changing the password + (from <citerefentry> + <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>). It returns the cached + authentication token, or prompts the user if no token is + currently cached. The difference to <function>pam_get_authtok</function> + is, that this function does not ask a second time for the password + to verify it. Upon successful return, <emphasis>authtok</emphasis> + contains a pointer to the value of the authentication token. Note, + this is a pointer to the + <emphasis>actual</emphasis> data and should + <emphasis remap="B">not</emphasis> be <emphasis>free()</emphasis>'ed or + over-written! + </para> + <para> + The <function>pam_get_authtok_verify</function> function can + only be used to verify a password for mistypes gotten by + <citerefentry> + <refentrytitle>pam_get_authtok_noverify</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. This function asks a second time for the password + and verify it with the password provided by <emphasis>authtok</emphasis> + argument. In case of an error, the value of <emphasis>authtok</emphasis> + is undefined. Else this argument will point to the + <emphasis>actual</emphasis> data and should + <emphasis remap="B">not</emphasis> be <emphasis>free()</emphasis>'ed or + over-written! + </para> + </refsect1> + + <refsect1 id="pam_get_authtok-options"> + <title>OPTIONS</title> + <para> + <function>pam_get_authtok</function> honours the following module + options: + </para> + <variablelist> + <varlistentry> + <term> + <option>try_first_pass</option> + </term> + <listitem> + <para> + Before prompting the user for their password, the module first + tries the previous stacked module's password in case that + satisfies this module as well. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>use_first_pass</option> + </term> + <listitem> + <para> + The argument <option>use_first_pass</option> forces the module + to use a previous stacked modules password and will never prompt + the user - if no password is available or the password is not + appropriate, the user will be denied access. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>use_authtok</option> + </term> + <listitem> + <para> + When password changing enforce the module to set the new + token to the one provided by a previously stacked + <option>password</option> module. If no token is available + token changing will fail. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>authtok_type=<replaceable>XXX</replaceable></option> + </term> + <listitem> + <para> + The default action is for the module to use the + following prompts when requesting passwords: + "New UNIX password: " and "Retype UNIX password: ". + The example word <emphasis>UNIX</emphasis> can + be replaced with this option, by default it is empty. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + + <refsect1 id="pam_get_authtok-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + Authentication token could not be retrieved. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_ERR</term> + <listitem> + <para> + New authentication could not be retrieved. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Authentication token was successfully retrieved. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + No space for an authentication token was provided. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_TRY_AGAIN</term> + <listitem> + <para> + New authentication tokens mismatch. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_get_authtok-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_get_authtok-standards'> + <title>STANDARDS</title> + <para> + The <function>pam_get_authtok</function> function is a Linux-PAM + extensions. + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam_get_authtok_noverify.3 b/doc/man/pam_get_authtok_noverify.3 new file mode 100644 index 0000000..a990dbc --- /dev/null +++ b/doc/man/pam_get_authtok_noverify.3 @@ -0,0 +1 @@ +.so man3/pam_get_authtok.3 diff --git a/doc/man/pam_get_authtok_verify.3 b/doc/man/pam_get_authtok_verify.3 new file mode 100644 index 0000000..a990dbc --- /dev/null +++ b/doc/man/pam_get_authtok_verify.3 @@ -0,0 +1 @@ +.so man3/pam_get_authtok.3 diff --git a/doc/man/pam_get_data.3 b/doc/man/pam_get_data.3 new file mode 100644 index 0000000..3eac2ef --- /dev/null +++ b/doc/man/pam_get_data.3 @@ -0,0 +1,82 @@ +'\" t +.\" Title: pam_get_data +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_GET_DATA" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_get_data \- get module internal data +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_modules\&.h> +.fi +.ft +.HP \w'int\ pam_get_data('u +.BI "int pam_get_data(const\ pam_handle_t\ *" "pamh" ", const\ char\ *" "module_data_name" ", const\ void\ **" "data" ");" +.SH "DESCRIPTION" +.PP +This function together with the +\fBpam_set_data\fR(3) +function is useful to manage module\-specific data meaningful only to the calling PAM module\&. +.PP +The +\fBpam_get_data\fR +function looks up the object associated with the (hopefully) unique string +\fImodule_data_name\fR +in the PAM context specified by the +\fIpamh\fR +argument\&. A successful call to +\fBpam_get_data\fR +will result in +\fIdata\fR +pointing to the object\&. Note, this data is +\fInot\fR +a copy and should be treated as +\fIconstant\fR +by the module\&. +.SH "RETURN VALUES" +.PP +PAM_SUCCESS +.RS 4 +Data was successful retrieved\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +A NULL pointer was submitted as PAM handle or the function was called by an application\&. +.RE +.PP +PAM_NO_MODULE_DATA +.RS 4 +Module data not found or there is an entry, but it has the value NULL\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_end\fR(3), +\fBpam_set_data\fR(3), +\fBpam_strerror\fR(3) diff --git a/doc/man/pam_get_data.3.xml b/doc/man/pam_get_data.3.xml new file mode 100644 index 0000000..e84e5a4 --- /dev/null +++ b/doc/man/pam_get_data.3.xml @@ -0,0 +1,108 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_get_data'> + + <refmeta> + <refentrytitle>pam_get_data</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_get_data-name'> + <refname>pam_get_data</refname> + <refpurpose> + get module internal data + </refpurpose> + </refnamediv> + + +<!-- body begins here --> + + <refsynopsisdiv> + + <funcsynopsis id="pam_get_data-synopsis"> + <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_get_data</function></funcdef> + <paramdef>const pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>const char *<parameter>module_data_name</parameter></paramdef> + <paramdef>const void **<parameter>data</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + </refsynopsisdiv> + + + <refsect1 id="pam_get_data-description"> + <title>DESCRIPTION</title> + <para> + This function together with the + <citerefentry> + <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function + is useful to manage module-specific data meaningful only to + the calling PAM module. + </para> + <para> + The <function>pam_get_data</function> function looks up the + object associated with the (hopefully) unique string + <emphasis>module_data_name</emphasis> in the PAM context + specified by the <emphasis>pamh</emphasis> argument. + A successful call to + <function>pam_get_data</function> will result in + <emphasis>data</emphasis> pointing to the object. Note, + this data is <emphasis>not</emphasis> a copy and should be + treated as <emphasis>constant</emphasis> by the module. + </para> + </refsect1> + + <refsect1 id="pam_get_data-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Data was successful retrieved. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + A NULL pointer was submitted as PAM handle or the + function was called by an application. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_NO_MODULE_DATA</term> + <listitem> + <para> + Module data not found or there is an entry, but it has + the value NULL. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_get_data-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam_get_item.3 b/doc/man/pam_get_item.3 new file mode 100644 index 0000000..b0e05d1 --- /dev/null +++ b/doc/man/pam_get_item.3 @@ -0,0 +1,196 @@ +'\" t +.\" Title: pam_get_item +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_GET_ITEM" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_get_item \- getting PAM information +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_modules\&.h> +.fi +.ft +.HP \w'int\ pam_get_item('u +.BI "int pam_get_item(const\ pam_handle_t\ *" "pamh" ", int\ " "item_type" ", const\ void\ **" "item" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_get_item\fR +function allows applications and PAM service modules to access and retrieve PAM information of +\fIitem_type\fR\&. Upon successful return, +\fIitem\fR +contains a pointer to the value of the corresponding item\&. Note, this is a pointer to the +\fIactual\fR +data and should +\fBnot\fR +be +\fIfree()\fR\*(Aqed or over\-written! The following values are supported for +\fIitem_type\fR: +.PP +PAM_SERVICE +.RS 4 +The service name (which identifies that PAM stack that the PAM functions will use to authenticate the program)\&. +.RE +.PP +PAM_USER +.RS 4 +The username of the entity under whose identity service will be given\&. That is, following authentication, +\fIPAM_USER\fR +identifies the local entity that gets to use the service\&. Note, this value can be mapped from something (eg\&., "anonymous") to something else (eg\&. "guest119") by any module in the PAM stack\&. As such an application should consult the value of +\fIPAM_USER\fR +after each call to a PAM function\&. +.RE +.PP +PAM_USER_PROMPT +.RS 4 +The string used when prompting for a user\*(Aqs name\&. The default value for this string is a localized version of "login: "\&. +.RE +.PP +PAM_TTY +.RS 4 +The terminal name: prefixed by +/dev/ +if it is a device file; for graphical, X\-based, applications the value for this item should be the +\fI$DISPLAY\fR +variable\&. +.RE +.PP +PAM_RUSER +.RS 4 +The requesting user name: local name for a locally requesting user or a remote user name for a remote requesting user\&. +.sp +Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one\&. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator\&. +.sp +\fIPAM_RUSER@PAM_RHOST\fR +should always identify the requesting user\&. In some cases, +\fIPAM_RUSER\fR +may be NULL\&. In such situations, it is unclear who the requesting entity is\&. +.RE +.PP +PAM_RHOST +.RS 4 +The requesting hostname (the hostname of the machine from which the +\fIPAM_RUSER\fR +entity is requesting service)\&. That is +\fIPAM_RUSER@PAM_RHOST\fR +does identify the requesting user\&. In some applications, +\fIPAM_RHOST\fR +may be NULL\&. In such situations, it is unclear where the authentication request is originating from\&. +.RE +.PP +PAM_AUTHTOK +.RS 4 +The authentication token (often a password)\&. This token should be ignored by all module functions besides +\fBpam_sm_authenticate\fR(3) +and +\fBpam_sm_chauthtok\fR(3)\&. In the former function it is used to pass the most recent authentication token from one stacked module to another\&. In the latter function the token is used for another purpose\&. It contains the currently active authentication token\&. +.RE +.PP +PAM_OLDAUTHTOK +.RS 4 +The old authentication token\&. This token should be ignored by all module functions except +\fBpam_sm_chauthtok\fR(3)\&. +.RE +.PP +PAM_CONV +.RS 4 +The pam_conv structure\&. See +\fBpam_conv\fR(3)\&. +.RE +.PP +The following additional items are specific to Linux\-PAM and should not be used in portable applications: +.PP +PAM_FAIL_DELAY +.RS 4 +A function pointer to redirect centrally managed failure delays\&. See +\fBpam_fail_delay\fR(3)\&. +.RE +.PP +PAM_XDISPLAY +.RS 4 +The name of the X display\&. For graphical, X\-based applications the value for this item should be the +\fI$DISPLAY\fR +variable\&. This value may be used independently of +\fIPAM_TTY\fR +for passing the name of the display\&. +.RE +.PP +PAM_XAUTHDATA +.RS 4 +A pointer to a structure containing the X authentication data required to make a connection to the display specified by +\fIPAM_XDISPLAY\fR, if such information is necessary\&. See +\fBpam_xauth_data\fR(3)\&. +.RE +.PP +PAM_AUTHTOK_TYPE +.RS 4 +The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: "\&. The example word +\fIUNIX\fR +can be replaced with this item, by default it is empty\&. This item is used by +\fBpam_get_authtok\fR(3)\&. +.RE +.PP +If a service module wishes to obtain the name of the user, it should not use this function, but instead perform a call to +\fBpam_get_user\fR(3)\&. +.PP +Only a service module is privileged to read the authentication tokens, PAM_AUTHTOK and PAM_OLDAUTHTOK\&. +.SH "RETURN VALUES" +.PP +PAM_BAD_ITEM +.RS 4 +The application attempted to set an undefined or inaccessible item\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_PERM_DENIED +.RS 4 +The value of +\fIitem\fR +was NULL\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Data was successful updated\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +The +\fIpam_handle_t\fR +passed as first argument was invalid\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_set_item\fR(3), +\fBpam_strerror\fR(3) diff --git a/doc/man/pam_get_item.3.xml b/doc/man/pam_get_item.3.xml new file mode 100644 index 0000000..1145273 --- /dev/null +++ b/doc/man/pam_get_item.3.xml @@ -0,0 +1,143 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" +[ +<!-- +<!ENTITY accessconf SYSTEM "pam_item_types_std.inc.xml"> +<!ENTITY accessconf SYSTEM "pam_item_types_ext.inc.xml"> +--> +]> + +<refentry id='pam_get_item'> + + <refmeta> + <refentrytitle>pam_get_item</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_get_item-name'> + <refname>pam_get_item</refname> + <refpurpose> + getting PAM information + </refpurpose> + </refnamediv> + + +<!-- body begins here --> + + <refsynopsisdiv> + + <funcsynopsis id="pam_get_item-synopsis"> + <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_get_item</function></funcdef> + <paramdef>const pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>item_type</parameter></paramdef> + <paramdef>const void **<parameter>item</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + </refsynopsisdiv> + + + <refsect1 id="pam_get_item-description"> + <title>DESCRIPTION</title> + <para> + The <function>pam_get_item</function> function allows applications + and PAM service modules to access and retrieve PAM information + of <emphasis>item_type</emphasis>. Upon successful return, + <emphasis>item</emphasis> contains a pointer to the value of the + corresponding item. Note, this is a pointer to the + <emphasis>actual</emphasis> data and should + <emphasis remap="B">not</emphasis> be <emphasis>free()</emphasis>'ed or + over-written! The following values are supported for + <emphasis>item_type</emphasis>: + </para> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_item_types_std.inc.xml"/> + + <para> + The following additional items are specific to Linux-PAM and should not be used in + portable applications: + </para> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_item_types_ext.inc.xml"/> + + <para> + If a service module wishes to obtain the name of the user, + it should not use this function, but instead perform a call to + <citerefentry> + <refentrytitle>pam_get_user</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + <para> + Only a service module is privileged to read the + authentication tokens, PAM_AUTHTOK and PAM_OLDAUTHTOK. + </para> + + </refsect1> + + <refsect1 id="pam_get_item-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_BAD_ITEM</term> + <listitem> + <para> + The application attempted to set an undefined or inaccessible + item. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para> + The value of <emphasis>item</emphasis> was NULL. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Data was successful updated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + The <emphasis>pam_handle_t</emphasis> passed as first + argument was invalid. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_get_item-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam_get_user.3 b/doc/man/pam_get_user.3 new file mode 100644 index 0000000..12cfaf4 --- /dev/null +++ b/doc/man/pam_get_user.3 @@ -0,0 +1,138 @@ +'\" t +.\" Title: pam_get_user +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_GET_USER" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_get_user \- get user name +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_modules\&.h> +.fi +.ft +.HP \w'int\ pam_get_user('u +.BI "int pam_get_user(const\ pam_handle_t\ *" "pamh" ", const\ char\ **" "user" ", const\ char\ *" "prompt" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_get_user\fR +function returns the name of the user specified by +\fBpam_start\fR(3)\&. If no user was specified it returns what +\fBpam_get_item (pamh, PAM_USER, \&.\&.\&. );\fR +would have returned\&. If this is NULL it obtains the username via the +\fBpam_conv\fR(3) +mechanism, it prompts the user with the first non\-NULL string in the following list: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +The +\fIprompt\fR +argument passed to the function\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +What is returned by pam_get_item (pamh, PAM_USER_PROMPT, \&.\&.\&. ); +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +The default prompt: "login: " +.RE +.PP +By whatever means the username is obtained, a pointer to it is returned as the contents of +\fI*user\fR\&. Note, this memory should +\fBnot\fR +be +\fIfree()\fR\*(Aqd or +\fImodified\fR +by the module\&. +.PP +This function sets the +\fIPAM_USER\fR +item associated with the +\fBpam_set_item\fR(3) +and +\fBpam_get_item\fR(3) +functions\&. +.SH "RETURN VALUES" +.PP +PAM_SUCCESS +.RS 4 +User name was successful retrieved\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +A NULL pointer was submitted\&. +.RE +.PP +PAM_CONV_ERR +.RS 4 +The conversation method supplied by the application failed to obtain the username\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_ABORT +.RS 4 +Error resuming an old conversation\&. +.RE +.PP +PAM_CONV_AGAIN +.RS 4 +The conversation method supplied by the application is waiting for an event\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_end\fR(3), +\fBpam_get_item\fR(3), +\fBpam_set_item\fR(3), +\fBpam_strerror\fR(3) diff --git a/doc/man/pam_get_user.3.xml b/doc/man/pam_get_user.3.xml new file mode 100644 index 0000000..8bb176e --- /dev/null +++ b/doc/man/pam_get_user.3.xml @@ -0,0 +1,164 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_get_user'> + + <refmeta> + <refentrytitle>pam_get_user</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_get_user-name'> + <refname>pam_get_user</refname> + <refpurpose> + get user name + </refpurpose> + </refnamediv> + + +<!-- body begins here --> + + <refsynopsisdiv> + + <funcsynopsis id="pam_get_user-synopsis"> + <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_get_user</function></funcdef> + <paramdef>const pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>const char **<parameter>user</parameter></paramdef> + <paramdef>const char *<parameter>prompt</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + </refsynopsisdiv> + + + <refsect1 id="pam_get_user-description"> + <title>DESCRIPTION</title> + <para> + The <function>pam_get_user</function> function returns the + name of the user specified by + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. If no user was specified it returns what + <function>pam_get_item (pamh, PAM_USER, ... );</function> would + have returned. If this is NULL it obtains the username via the + <citerefentry> + <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> mechanism, it prompts the user with the first + non-NULL string in the following list: + </para> + + <itemizedlist> + <listitem> + <para> + The <emphasis>prompt</emphasis> argument passed to the function. + </para> + </listitem> + <listitem> + <para> + What is returned by pam_get_item (pamh, PAM_USER_PROMPT, ... ); + </para> + </listitem> + <listitem> + <para> + The default prompt: "login: " + </para> + </listitem> + </itemizedlist> + <para> + By whatever means the username is obtained, a pointer to it is + returned as the contents of <emphasis>*user</emphasis>. Note, + this memory should <emphasis remap="B">not</emphasis> be + <emphasis>free()</emphasis>'d or <emphasis>modified</emphasis> + by the module. + </para> + <para> + This function sets the <emphasis>PAM_USER</emphasis> item + associated with the + <citerefentry> + <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> and + <citerefentry> + <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> functions. + </para> + </refsect1> + + <refsect1 id="pam_get_user-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + User name was successful retrieved. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + A NULL pointer was submitted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para> + The conversation method supplied by the + application failed to obtain the username. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + Error resuming an old conversation. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CONV_AGAIN</term> + <listitem> + <para> + The conversation method supplied by the application + is waiting for an event. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_get_user-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam_getenv.3 b/doc/man/pam_getenv.3 new file mode 100644 index 0000000..56f32ba --- /dev/null +++ b/doc/man/pam_getenv.3 @@ -0,0 +1,60 @@ +'\" t +.\" Title: pam_getenv +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_GETENV" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_getenv \- get a PAM environment variable +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.HP \w'const\ char\ *pam_getenv('u +.BI "const char *pam_getenv(pam_handle_t\ *" "pamh" ", const\ char\ *" "name" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_getenv\fR +function searches the PAM environment list as associated with the handle +\fIpamh\fR +for an item that matches the string pointed to by +\fIname\fR +and returns a pointer to the value of the environment variable\&. The application is not allowed to free the data\&. +.SH "RETURN VALUES" +.PP +The +\fBpam_getenv\fR +function returns NULL on failure\&. +.SH "SEE ALSO" +.PP +\fBpam_start\fR(3), +\fBpam_getenvlist\fR(3), +\fBpam_putenv\fR(3), +\fBpam\fR(8) diff --git a/doc/man/pam_getenv.3.xml b/doc/man/pam_getenv.3.xml new file mode 100644 index 0000000..7e8db01 --- /dev/null +++ b/doc/man/pam_getenv.3.xml @@ -0,0 +1,67 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<refentry id='pam_getenv'> + <refmeta> + <refentrytitle>pam_getenv</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_getenv-name"> + <refname>pam_getenv</refname> + <refpurpose>get a PAM environment variable</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id='pam_getenv-synopsis'> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + <funcprototype> + <funcdef>const char *<function>pam_getenv</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>const char *<parameter>name</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_getenv-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_getenv</function> function searches the + PAM environment list as associated with the handle + <emphasis>pamh</emphasis> for an item that matches the string + pointed to by <emphasis>name</emphasis> and returns a pointer + to the value of the environment variable. The application is + not allowed to free the data. + </para> + </refsect1> + + <refsect1 id="pam_getenv-return_values"> + <title>RETURN VALUES</title> + <para> + The <function>pam_getenv</function> function returns NULL + on failure. + </para> + </refsect1> + + <refsect1 id='pam_getenv-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_getenvlist.3 b/doc/man/pam_getenvlist.3 new file mode 100644 index 0000000..9ce441d --- /dev/null +++ b/doc/man/pam_getenvlist.3 @@ -0,0 +1,66 @@ +'\" t +.\" Title: pam_getenvlist +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_GETENVLIST" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_getenvlist \- getting the PAM environment +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.HP \w'char\ **pam_getenvlist('u +.BI "char **pam_getenvlist(pam_handle_t\ *" "pamh" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_getenvlist\fR +function returns a complete copy of the PAM environment as associated with the handle +\fIpamh\fR\&. The PAM environment variables represent the contents of the regular environment variables of the authenticated user when service is granted\&. +.PP +The format of the memory is a malloc()\*(Aqd array of char pointers, the last element of which is set to NULL\&. Each of the non\-NULL entries in this array point to a NUL terminated and malloc()\*(Aqd char string of the form: "\fIname=value\fR"\&. +.PP +It should be noted that this memory will never be free()\*(Aqd by libpam\&. Once obtained by a call to +\fBpam_getenvlist\fR, it is the responsibility of the calling application to free() this memory\&. +.PP +It is by design, and not a coincidence, that the format and contents of the returned array matches that required for the third argument of the +\fBexecle\fR(3) +function call\&. +.SH "RETURN VALUES" +.PP +The +\fBpam_getenvlist\fR +function returns NULL on failure\&. +.SH "SEE ALSO" +.PP +\fBpam_start\fR(3), +\fBpam_getenv\fR(3), +\fBpam_putenv\fR(3), +\fBpam\fR(8) diff --git a/doc/man/pam_getenvlist.3.xml b/doc/man/pam_getenvlist.3.xml new file mode 100644 index 0000000..1c29b73 --- /dev/null +++ b/doc/man/pam_getenvlist.3.xml @@ -0,0 +1,85 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<refentry id='pam_getenvlist'> + <refmeta> + <refentrytitle>pam_getenvlist</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_getenvlist-name"> + <refname>pam_getenvlist</refname> + <refpurpose>getting the PAM environment</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id='pam_getenvlist-synopsis'> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + <funcprototype> + <funcdef>char **<function>pam_getenvlist</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_getenvlist-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_getenvlist</function> function returns a complete + copy of the PAM environment as associated with the handle + <emphasis>pamh</emphasis>. The PAM environment variables + represent the contents of the regular environment variables of the + authenticated user when service is granted. + </para> + <para> + The format of the memory is a malloc()'d array of char pointers, + the last element of which is set to NULL. Each of the non-NULL + entries in this array point to a NUL terminated and malloc()'d + char string of the form: "<emphasis>name=value</emphasis>". + </para> + <para> + It should be noted that this memory will never be free()'d by + libpam. Once obtained by a call to + <function>pam_getenvlist</function>, it is the responsibility of + the calling application to free() this memory. + </para> + <para> + It is by design, and not a coincidence, that the format and contents + of the returned array matches that required for the third argument of + the + <citerefentry> + <refentrytitle>execle</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function call. + </para> + </refsect1> + + <refsect1 id="pam_getenvlist-return_values"> + <title>RETURN VALUES</title> + <para> + The <function>pam_getenvlist</function> function returns NULL + on failure. + </para> + </refsect1> + + <refsect1 id='pam_getenvlist-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_getenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_info.3 b/doc/man/pam_info.3 new file mode 100644 index 0000000..c6d175b --- /dev/null +++ b/doc/man/pam_info.3 @@ -0,0 +1,86 @@ +'\" t +.\" Title: pam_info +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_INFO" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_info, pam_vinfo \- display messages to the user +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_ext\&.h> +.fi +.ft +.HP \w'int\ pam_info('u +.BI "int pam_info(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", " "\&.\&.\&." ");" +.HP \w'int\ pam_vinfo('u +.BI "int pam_vinfo(pam_handle_t\ *" "pamh" ", const\ char\ *" "fmt" ", va_list\ " "args" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_info\fR +function prints messages through the conversation function to the user\&. +.PP +The +\fBpam_vinfo\fR +function performs the same task as +\fBpam_info()\fR +with the difference that it takes a set of arguments which have been obtained using the +\fBstdarg\fR(3) +variable argument list macros\&. +.SH "RETURN VALUES" +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_CONV_ERR +.RS 4 +Conversation failure\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Transaction was successful created\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +System error\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam\fR(8) +.SH "STANDARDS" +.PP +The +\fBpam_info\fR +and +\fBpam_vinfo\fR +functions are Linux\-PAM extensions\&. diff --git a/doc/man/pam_info.3.xml b/doc/man/pam_info.3.xml new file mode 100644 index 0000000..88e671c --- /dev/null +++ b/doc/man/pam_info.3.xml @@ -0,0 +1,109 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id="pam_info"> + + <refmeta> + <refentrytitle>pam_info</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_info-name"> + <refname>pam_info</refname> + <refname>pam_vinfo</refname> + <refpurpose>display messages to the user</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv id="pam_info-synopsis"> + <funcsynopsis> + <funcsynopsisinfo>#include <security/pam_ext.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_info</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>const char *<parameter>fmt</parameter></paramdef> + <paramdef><parameter>...</parameter></paramdef> + </funcprototype> + <funcprototype> + <funcdef>int <function>pam_vinfo</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>const char *<parameter>fmt</parameter></paramdef> + <paramdef>va_list <parameter>args</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + <refsect1 id='pam_info-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_info</function> function prints messages + through the conversation function to the user. + </para> + <para> + The <function>pam_vinfo</function> function performs the same + task as <function>pam_info()</function> with the difference + that it takes a set of arguments which have been obtained using + the <citerefentry> + <refentrytitle>stdarg</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> variable argument list macros. + </para> + </refsect1> + <refsect1 id="pam_info-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para> + Conversation failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Transaction was successful created. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + System error. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_info-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_info-standards'> + <title>STANDARDS</title> + <para> + The <function>pam_info</function> and <function>pam_vinfo</function> + functions are Linux-PAM extensions. + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam_item_types_ext.inc.xml b/doc/man/pam_item_types_ext.inc.xml new file mode 100644 index 0000000..d36a5bd --- /dev/null +++ b/doc/man/pam_item_types_ext.inc.xml @@ -0,0 +1,61 @@ +<!-- this file is included by pam_set_item and pam_get_item --> + + <variablelist> + <varlistentry> + <term>PAM_FAIL_DELAY</term> + <listitem> + <para> + A function pointer to redirect centrally managed + failure delays. See + <citerefentry> + <refentrytitle>pam_fail_delay</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_XDISPLAY</term> + <listitem> + <para> + The name of the X display. For graphical, X-based applications the + value for this item should be the <emphasis>$DISPLAY</emphasis> + variable. This value may be used independently of + <emphasis>PAM_TTY</emphasis> for passing the + name of the display. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_XAUTHDATA</term> + <listitem> + <para> + A pointer to a structure containing the X authentication data + required to make a connection to the display specified by + <emphasis>PAM_XDISPLAY</emphasis>, if such information is + necessary. See + <citerefentry> + <refentrytitle>pam_xauth_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTHTOK_TYPE</term> + <listitem> + <para> + The default action is for the module to use the + following prompts when requesting passwords: + "New UNIX password: " and "Retype UNIX password: ". + The example word <emphasis>UNIX</emphasis> can + be replaced with this item, by default it is empty. + This item is used by <citerefentry> + <refentrytitle>pam_get_authtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + + </variablelist> diff --git a/doc/man/pam_item_types_std.inc.xml b/doc/man/pam_item_types_std.inc.xml new file mode 100644 index 0000000..81f240b --- /dev/null +++ b/doc/man/pam_item_types_std.inc.xml @@ -0,0 +1,138 @@ +<!-- this file is included by pam_set_item and pam_get_item --> + + <variablelist> + <varlistentry> + <term>PAM_SERVICE</term> + <listitem> + <para> + The service name (which identifies that PAM stack that + the PAM functions will use to authenticate the program). + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER</term> + <listitem> + <para> + The username of the entity under whose identity service + will be given. That is, following authentication, + <emphasis>PAM_USER</emphasis> identifies the local entity + that gets to use the service. Note, this value can be mapped + from something (eg., "anonymous") to something else (eg. + "guest119") by any module in the PAM stack. As such an + application should consult the value of + <emphasis>PAM_USER</emphasis> after each call to a PAM function. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER_PROMPT</term> + <listitem> + <para> + The string used when prompting for a user's name. The default + value for this string is a localized version of "login: ". + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_TTY</term> + <listitem> + <para> + The terminal name: prefixed by <filename>/dev/</filename> if + it is a device file; for graphical, X-based, applications the + value for this item should be the + <emphasis>$DISPLAY</emphasis> variable. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_RUSER</term> + <listitem> + <para> + The requesting user name: local name for a locally + requesting user or a remote user name for a remote + requesting user. + </para> + <para> + Generally an application or module will attempt to supply + the value that is most strongly authenticated (a local account + before a remote one. The level of trust in this value is + embodied in the actual authentication stack associated with + the application, so it is ultimately at the discretion of the + system administrator. + </para> + <para> + <emphasis>PAM_RUSER@PAM_RHOST</emphasis> should always identify + the requesting user. In some cases, + <emphasis>PAM_RUSER</emphasis> may be NULL. In such situations, + it is unclear who the requesting entity is. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_RHOST</term> + <listitem> + <para> + The requesting hostname (the hostname of the machine from + which the <emphasis>PAM_RUSER</emphasis> entity is requesting + service). That is <emphasis>PAM_RUSER@PAM_RHOST</emphasis> + does identify the requesting user. In some applications, + <emphasis>PAM_RHOST</emphasis> may be NULL. In such situations, + it is unclear where the authentication request is originating + from. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTHTOK</term> + <listitem> + <para> + The authentication token (often a password). This token + should be ignored by all module functions besides + <citerefentry> + <refentrytitle>pam_sm_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> and + <citerefentry> + <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + In the former function it is used to pass the most recent + authentication token from one stacked module to another. In + the latter function the token is used for another purpose. + It contains the currently active authentication token. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_OLDAUTHTOK</term> + <listitem> + <para> + The old authentication token. This token should be ignored + by all module functions except + <citerefentry> + <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + + + <varlistentry> + <term>PAM_CONV</term> + <listitem> + <para> + The pam_conv structure. See + <citerefentry> + <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + + </variablelist> diff --git a/doc/man/pam_misc_drop_env.3 b/doc/man/pam_misc_drop_env.3 new file mode 100644 index 0000000..5decbe5 --- /dev/null +++ b/doc/man/pam_misc_drop_env.3 @@ -0,0 +1,62 @@ +'\" t +.\" Title: pam_misc_drop_env +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_MISC_DROP_ENV" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_misc_drop_env \- liberating a locally saved environment +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_misc\&.h> +.fi +.ft +.HP \w'int\ pam_misc_drop_env('u +.BI "int pam_misc_drop_env(char\ **" "env" ");" +.SH "DESCRIPTION" +.PP +This function is defined to complement the +\fBpam_getenvlist\fR(3) +function\&. It liberates the memory associated with +\fIenv\fR, +\fIoverwriting\fR +with +\fI0\fR +all memory before +\fBfree()\fRing it\&. +.SH "SEE ALSO" +.PP +\fBpam_getenvlist\fR(3), +\fBpam\fR(8) +.SH "STANDARDS" +.PP +The +\fBpam_misc_drop_env\fR +function is part of the +\fBlibpam_misc\fR +Library and not defined in any standard\&. diff --git a/doc/man/pam_misc_drop_env.3.xml b/doc/man/pam_misc_drop_env.3.xml new file mode 100644 index 0000000..1941f58 --- /dev/null +++ b/doc/man/pam_misc_drop_env.3.xml @@ -0,0 +1,63 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id="pam_misc_drop_env"> + + <refmeta> + <refentrytitle>pam_misc_drop_env</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_misc_drop_env-name"> + <refname>pam_misc_drop_env</refname> + <refpurpose>liberating a locally saved environment</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id="pam_misc_drop_env-synopsis"> + <funcsynopsisinfo>#include <security/pam_misc.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_misc_drop_env</function></funcdef> + <paramdef>char **<parameter>env</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + <refsect1 id='pam_misc_drop_env-description'> + <title>DESCRIPTION</title> + <para> + This function is defined to complement the <citerefentry> + <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> function. It liberates the memory associated + with <parameter>env</parameter>, <emphasis>overwriting</emphasis> + with <emphasis>0</emphasis> all memory before + <function>free()</function>ing it. + </para> + </refsect1> + + <refsect1 id='pam_misc_drop_env-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_misc_drop_env-standards'> + <title>STANDARDS</title> + <para> + The <function>pam_misc_drop_env</function> function is part of the + <command>libpam_misc</command> Library and not defined in any + standard. + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam_misc_paste_env.3 b/doc/man/pam_misc_paste_env.3 new file mode 100644 index 0000000..41456d1 --- /dev/null +++ b/doc/man/pam_misc_paste_env.3 @@ -0,0 +1,57 @@ +'\" t +.\" Title: pam_misc_paste_env +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_MISC_PASTE_ENV" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_misc_paste_env \- transcribing an environment to that of PAM +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_misc\&.h> +.fi +.ft +.HP \w'int\ pam_misc_paste_env('u +.BI "int pam_misc_paste_env(pam_handle_t\ *" "pamh" ", const\ char\ *\ const\ *" "user" ");" +.SH "DESCRIPTION" +.PP +This function takes the supplied list of environment pointers and +\fIuploads\fR +its contents to the PAM environment\&. Success is indicated by +PAM_SUCCESS\&. +.SH "SEE ALSO" +.PP +\fBpam_putenv\fR(3), +\fBpam\fR(8) +.SH "STANDARDS" +.PP +The +\fBpam_misc_paste_env\fR +function is part of the +\fBlibpam_misc\fR +Library and not defined in any standard\&. diff --git a/doc/man/pam_misc_paste_env.3.xml b/doc/man/pam_misc_paste_env.3.xml new file mode 100644 index 0000000..d9a282c --- /dev/null +++ b/doc/man/pam_misc_paste_env.3.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id="pam_misc_paste_env"> + + <refmeta> + <refentrytitle>pam_misc_paste_env</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_misc_paste_env-name"> + <refname>pam_misc_paste_env</refname> + <refpurpose>transcribing an environment to that of PAM</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id="pam_misc_paste_env-synopsis"> + <funcsynopsisinfo>#include <security/pam_misc.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_misc_paste_env</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>const char * const *<parameter>user</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + <refsect1 id='pam_misc_paste_env-description'> + <title>DESCRIPTION</title> + <para> + This function takes the supplied list of environment pointers and + <emphasis>uploads</emphasis> its contents to the PAM environment. + Success is indicated by <errorname>PAM_SUCCESS</errorname>. + </para> + </refsect1> + + <refsect1 id='pam_misc_paste_env-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_misc_paste_env-standards'> + <title>STANDARDS</title> + <para> + The <function>pam_misc_paste_env</function> function is part of the + <command>libpam_misc</command> Library and not defined in any + standard. + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam_misc_setenv.3 b/doc/man/pam_misc_setenv.3 new file mode 100644 index 0000000..575456d --- /dev/null +++ b/doc/man/pam_misc_setenv.3 @@ -0,0 +1,62 @@ +'\" t +.\" Title: pam_misc_setenv +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_MISC_SETENV" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_misc_setenv \- BSD like PAM environment variable setting +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_misc\&.h> +.fi +.ft +.HP \w'int\ pam_misc_setenv('u +.BI "int pam_misc_setenv(pam_handle_t\ *" "pamh" ", const\ char\ *" "name" ", const\ char\ *" "value" ", int\ " "readonly" ");" +.SH "DESCRIPTION" +.PP +This function performs a task equivalent to +\fBpam_putenv\fR(3), its syntax is, however, more like the BSD style function; +\fBsetenv()\fR\&. The +\fIname\fR +and +\fIvalue\fR +are concatenated with an \*(Aq=\*(Aq to form a name=value and passed to +\fBpam_putenv()\fR\&. If, however, the PAM variable is already set, the replacement will only be applied if the last argument, +\fIreadonly\fR, is zero\&. +.SH "SEE ALSO" +.PP +\fBpam_putenv\fR(3), +\fBpam\fR(8) +.SH "STANDARDS" +.PP +The +\fBpam_misc_setenv\fR +function is part of the +\fBlibpam_misc\fR +Library and not defined in any standard\&. diff --git a/doc/man/pam_misc_setenv.3.xml b/doc/man/pam_misc_setenv.3.xml new file mode 100644 index 0000000..7e61a8d --- /dev/null +++ b/doc/man/pam_misc_setenv.3.xml @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id="pam_misc_setenv"> + + <refmeta> + <refentrytitle>pam_misc_setenv</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + <refnamediv id="pam_misc_setenv-name"> + <refname>pam_misc_setenv</refname> + <refpurpose>BSD like PAM environment variable setting</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id="pam_misc_setenv-synopsis"> + <funcsynopsisinfo>#include <security/pam_misc.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_misc_setenv</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>const char *<parameter>name</parameter></paramdef> + <paramdef>const char *<parameter>value</parameter></paramdef> + <paramdef>int <parameter>readonly</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + <refsect1 id='pam_misc_setenv-description'> + <title>DESCRIPTION</title> + <para> + This function performs a task equivalent to <citerefentry> + <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, its syntax is, however, more like the BSD style + function; <function>setenv()</function>. The <parameter>name</parameter> + and <parameter>value</parameter> are concatenated with an '=' to + form a name=value and passed to <function>pam_putenv()</function>. + If, however, the PAM variable is already set, the replacement will + only be applied if the last argument, <parameter>readonly</parameter>, + is zero. + </para> + </refsect1> + + <refsect1 id='pam_misc_setenv-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_misc_setenv-standards'> + <title>STANDARDS</title> + <para> + The <function>pam_misc_setenv</function> function is part of the + <command>libpam_misc</command> Library and not defined in any + standard. + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam_open_session.3 b/doc/man/pam_open_session.3 new file mode 100644 index 0000000..a80a9e1 --- /dev/null +++ b/doc/man/pam_open_session.3 @@ -0,0 +1,81 @@ +'\" t +.\" Title: pam_open_session +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_OPEN_SESSION" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_open_session \- start PAM session management +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.HP \w'int\ pam_open_session('u +.BI "int pam_open_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_open_session\fR +function sets up a user session for a previously successful authenticated user\&. The session should later be terminated with a call to +\fBpam_close_session\fR(3)\&. +.PP +It should be noted that the effective uid, +\fBgeteuid\fR(2)\&. of the application should be of sufficient privilege to perform such tasks as creating or mounting the user\*(Aqs home directory for example\&. +.PP +The flags argument is the binary or of zero or more of the following values: +.PP +PAM_SILENT +.RS 4 +Do not emit any messages\&. +.RE +.SH "RETURN VALUES" +.PP +PAM_ABORT +.RS 4 +General failure\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_SESSION_ERR +.RS 4 +Session failure\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Session was successful created\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_close_session\fR(3), +\fBpam_strerror\fR(3) diff --git a/doc/man/pam_open_session.3.xml b/doc/man/pam_open_session.3.xml new file mode 100644 index 0000000..eba0bc0 --- /dev/null +++ b/doc/man/pam_open_session.3.xml @@ -0,0 +1,115 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_send'> + + <refmeta> + <refentrytitle>pam_open_session</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_open_session-name"> + <refname>pam_open_session</refname> + <refpurpose>start PAM session management</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id="pam_open_session-synopsis"> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_open_session</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>flags</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_open_session-description"> + <title>DESCRIPTION</title> + <para> + The <function>pam_open_session</function> function sets up a + user session for a previously successful authenticated user. + The session should later be terminated with a call to + <citerefentry> + <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + <para> + It should be noted that the effective uid, + <citerefentry> + <refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum> + </citerefentry>. of the application should be of sufficient + privilege to perform such tasks as creating or mounting the + user's home directory for example. + </para> + <para> + The flags argument is the binary or of zero or more of the + following values: + </para> + <variablelist> + <varlistentry> + <term>PAM_SILENT</term> + <listitem> + <para> + Do not emit any messages. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_open_session-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + General failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + Session failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Session was successful created. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_open_session-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_prompt.3 b/doc/man/pam_prompt.3 new file mode 100644 index 0000000..3ff08e7 --- /dev/null +++ b/doc/man/pam_prompt.3 @@ -0,0 +1,81 @@ +'\" t +.\" Title: pam_prompt +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_PROMPT" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_prompt, pam_vprompt \- interface to conversation function +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_ext\&.h> +.fi +.ft +.HP \w'int\ pam_prompt('u +.BI "int pam_prompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", " "\&.\&.\&." ");" +.HP \w'int\ pam_vprompt('u +.BI "int pam_vprompt(pam_handle_t\ *" "pamh" ", int\ " "style" ", char\ **" "response" ", const\ char\ *" "fmt" ", va_list\ " "args" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_prompt\fR +function constructs a message from the specified format string and arguments and passes it to the conversation function as set by the service\&. Upon successful return, +\fIresponse\fR +is set to point to a string returned from the conversation function\&. This string is allocated on heap and should be freed\&. +.SH "RETURN VALUES" +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_CONV_ERR +.RS 4 +Conversation failure\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Conversation succeeded, response is set\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +System error\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam\fR(8), +\fBpam_conv\fR(3) +.SH "STANDARDS" +.PP +The +\fBpam_prompt\fR +and +\fBpam_vprompt\fR +functions are Linux\-PAM extensions\&. diff --git a/doc/man/pam_prompt.3.xml b/doc/man/pam_prompt.3.xml new file mode 100644 index 0000000..bf0c9bf --- /dev/null +++ b/doc/man/pam_prompt.3.xml @@ -0,0 +1,114 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id="pam_prompt"> + + <refmeta> + <refentrytitle>pam_prompt</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_prompt-name"> + <refname>pam_prompt</refname> + <refname>pam_vprompt</refname> + <refpurpose>interface to conversation function</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv id="pam_prompt-synopsis"> + <funcsynopsis> + <funcsynopsisinfo>#include <security/pam_ext.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_prompt</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>style</parameter></paramdef> + <paramdef>char **<parameter>response</parameter></paramdef> + <paramdef>const char *<parameter>fmt</parameter></paramdef> + <paramdef><parameter>...</parameter></paramdef> + </funcprototype> + <funcprototype> + <funcdef>int <function>pam_vprompt</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>style</parameter></paramdef> + <paramdef>char **<parameter>response</parameter></paramdef> + <paramdef>const char *<parameter>fmt</parameter></paramdef> + <paramdef>va_list <parameter>args</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + <refsect1 id='pam_prompt-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_prompt</function> function constructs a message + from the specified format string and arguments and passes it to the + conversation function as set by the service. Upon successful return, + <emphasis>response</emphasis> is set to point to a string + returned from the conversation function. This string is allocated + on heap and should be freed. + </para> + </refsect1> + + <refsect1 id="pam_prompt-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CONV_ERR</term> + <listitem> + <para> + Conversation failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Conversation succeeded, response is set. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + System error. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + + <refsect1 id='pam_prompt-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_prompt-standards'> + <title>STANDARDS</title> + <para> + The <function>pam_prompt</function> and <function>pam_vprompt</function> + functions are Linux-PAM extensions. + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam_putenv.3 b/doc/man/pam_putenv.3 new file mode 100644 index 0000000..b832950 --- /dev/null +++ b/doc/man/pam_putenv.3 @@ -0,0 +1,111 @@ +'\" t +.\" Title: pam_putenv +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_PUTENV" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_putenv \- set or change PAM environment variable +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.HP \w'int\ pam_putenv('u +.BI "int pam_putenv(pam_handle_t\ *" "pamh" ", const\ char\ *" "name_value" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_putenv\fR +function is used to add or change the value of PAM environment variables as associated with the +\fIpamh\fR +handle\&. +.PP +The +\fIpamh\fR +argument is an authentication handle obtained by a prior call to pam_start()\&. The +\fIname_value\fR +argument is a single NUL terminated string of one of the following forms: +.PP +NAME=value of variable +.RS 4 +In this case the environment variable of the given NAME is set to the indicated value: +\fIvalue of variable\fR\&. If this variable is already known, it is overwritten\&. Otherwise it is added to the PAM environment\&. +.RE +.PP +NAME= +.RS 4 +This function sets the variable to an empty value\&. It is listed separately to indicate that this is the correct way to achieve such a setting\&. +.RE +.PP +NAME +.RS 4 +Without an \*(Aq=\*(Aq the +\fBpam_putenv\fR() function will delete the corresponding variable from the PAM environment\&. +.RE +.PP +\fBpam_putenv\fR() operates on a copy of +\fIname_value\fR, which means in contrast to +\fBputenv\fR(3), the application is responsible for freeing the data\&. +.SH "RETURN VALUES" +.PP +PAM_PERM_DENIED +.RS 4 +Argument +\fIname_value\fR +given is a NULL pointer\&. +.RE +.PP +PAM_BAD_ITEM +.RS 4 +Variable requested (for deletion) is not currently set\&. +.RE +.PP +PAM_ABORT +.RS 4 +The +\fIpamh\fR +handle is corrupt\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +The environment variable was successfully updated\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_start\fR(3), +\fBpam_getenv\fR(3), +\fBpam_getenvlist\fR(3), +\fBpam_strerror\fR(3), +\fBpam\fR(8) diff --git a/doc/man/pam_putenv.3.xml b/doc/man/pam_putenv.3.xml new file mode 100644 index 0000000..2d4afbc --- /dev/null +++ b/doc/man/pam_putenv.3.xml @@ -0,0 +1,152 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<refentry id='pam_putenv'> + <refmeta> + <refentrytitle>pam_putenv</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_putenv-name"> + <refname>pam_putenv</refname> + <refpurpose>set or change PAM environment variable</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id='pam_putenv-synopsis'> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_putenv</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>const char *<parameter>name_value</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_putenv-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_putenv</function> function is used to + add or change the value of PAM environment variables as + associated with the <emphasis>pamh</emphasis> handle. + </para> + <para> + The <emphasis>pamh</emphasis> argument is an authentication + handle obtained by a prior call to pam_start(). + The <emphasis>name_value</emphasis> argument is a single NUL + terminated string of one of the following forms: + </para> + <variablelist> + <varlistentry> + <term>NAME=value of variable</term> + <listitem> + <para> + In this case the environment variable of the given NAME + is set to the indicated value: + <emphasis>value of variable</emphasis>. If this variable + is already known, it is overwritten. Otherwise it is added + to the PAM environment. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>NAME=</term> + <listitem> + <para> + This function sets the variable to an empty value. It is + listed separately to indicate that this is the correct way + to achieve such a setting. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>NAME</term> + <listitem> + <para> + Without an '=' the <function>pam_putenv</function>() function + will delete the + corresponding variable from the PAM environment. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + <function>pam_putenv</function>() operates on a copy of + <emphasis>name_value</emphasis>, which means in contrast to + <citerefentry> + <refentrytitle>putenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, the application is responsible for freeing the data. + </para> + </refsect1> + + <refsect1 id="pam_putenv-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para> + Argument <emphasis>name_value</emphasis> given is a NULL pointer. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BAD_ITEM</term> + <listitem> + <para> + Variable requested (for deletion) is not currently set. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + The <emphasis>pamh</emphasis> handle is corrupt. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The environment variable was successfully updated. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_putenv-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_getenv</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_set_data.3 b/doc/man/pam_set_data.3 new file mode 100644 index 0000000..ea00056 --- /dev/null +++ b/doc/man/pam_set_data.3 @@ -0,0 +1,119 @@ +'\" t +.\" Title: pam_set_data +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_SET_DATA" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_set_data \- set module internal data +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_modules\&.h> +.fi +.ft +.HP \w'int\ pam_set_data('u +.BI "int pam_set_data(pam_handle_t\ *" "pamh" ", const\ char\ *" "module_data_name" ", void\ *" "data" ", void\ " "(*cleanup)(pam_handle_t\ *pamh,\ void\ *data,\ int\ error_status)" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_set_data\fR +function associates a pointer to an object with the (hopefully) unique string +\fImodule_data_name\fR +in the PAM context specified by the +\fIpamh\fR +argument\&. +.PP +PAM modules may be dynamically loadable objects\&. In general such files should not contain +\fIstatic\fR +variables\&. This function and its counterpart +\fBpam_get_data\fR(3), provide a mechanism for a module to associate some data with the handle +\fIpamh\fR\&. Typically a module will call the +\fBpam_set_data\fR +function to register some data under a (hopefully) unique +\fImodule_data_name\fR\&. The data is available for use by other modules too but +\fInot\fR +by an application\&. Since this functions stores only a pointer to the +\fIdata\fR, the module should not modify or free the content of it\&. +.PP +The function +\fBcleanup()\fR +is associated with the +\fIdata\fR +and, if non\-NULL, it is called when this data is over\-written or following a call to +\fBpam_end\fR(3)\&. +.PP +The +\fIerror_status\fR +argument is used to indicate to the module the sort of action it is to take in cleaning this data item\&. As an example, Kerberos creates a ticket file during the authentication phase, this file might be associated with a data item\&. When +\fBpam_end\fR(3) +is called by the module, the +\fIerror_status\fR +carries the return value of the +\fBpam_authenticate\fR(3) +or other +\fIlibpam\fR +function as appropriate\&. Based on this value the Kerberos module may choose to delete the ticket file (\fIauthentication failure\fR) or leave it in place\&. +.PP +The +\fIerror_status\fR +may have been logically OR\*(Aqd with either of the following two values: +.PP +PAM_DATA_REPLACE +.RS 4 +When a data item is being replaced (through a second call to +\fBpam_set_data\fR) this mask is used\&. Otherwise, the call is assumed to be from +\fBpam_end\fR(3)\&. +.RE +.PP +PAM_DATA_SILENT +.RS 4 +Which indicates that the process would prefer to perform the +\fBcleanup()\fR +quietly\&. That is, discourages logging/messages to the user\&. +.RE +.SH "RETURN VALUES" +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Data was successful stored\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +A NULL pointer was submitted as PAM handle or the function was called by an application\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_end\fR(3), +\fBpam_get_data\fR(3), +\fBpam_strerror\fR(3) diff --git a/doc/man/pam_set_data.3.xml b/doc/man/pam_set_data.3.xml new file mode 100644 index 0000000..c20068c --- /dev/null +++ b/doc/man/pam_set_data.3.xml @@ -0,0 +1,172 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_set_data'> + + <refmeta> + <refentrytitle>pam_set_data</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_set_data-name'> + <refname>pam_set_data</refname> + <refpurpose> + set module internal data + </refpurpose> + </refnamediv> + + +<!-- body begins here --> + + <refsynopsisdiv> + + <funcsynopsis id="pam_set_data-synopsis"> + <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_set_data</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>const char *<parameter>module_data_name</parameter></paramdef> + <paramdef>void *<parameter>data</parameter></paramdef> + <paramdef>void <parameter>(*cleanup)(pam_handle_t *pamh, void *data, int error_status)</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + </refsynopsisdiv> + + + <refsect1 id="pam_set_data-description"> + <title>DESCRIPTION</title> + <para> + The <function>pam_set_data</function> function associates a pointer + to an object with the (hopefully) unique string + <emphasis>module_data_name</emphasis> in the PAM context specified + by the <emphasis>pamh</emphasis> argument. + </para> + + <para> + PAM modules may be dynamically loadable objects. In general such files + should not contain <emphasis>static</emphasis> variables. This function + and its counterpart + <citerefentry> + <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + provide a mechanism for a module to associate some data with + the handle <emphasis>pamh</emphasis>. Typically a module will call the + <function>pam_set_data</function> function to register some data + under a (hopefully) unique <emphasis>module_data_name</emphasis>. + The data is available for use by other modules too but + <emphasis>not</emphasis> by an application. Since this functions + stores only a pointer to the <emphasis>data</emphasis>, the module + should not modify or free the content of it. + </para> + + <para> + The function <function>cleanup()</function> is associated with the + <emphasis>data</emphasis> and, if non-NULL, it is called when this + data is over-written or following a call to + <citerefentry> + <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + + <para> + The <emphasis>error_status</emphasis> argument is used to indicate + to the module the sort of action it is to take in cleaning this data + item. As an example, Kerberos creates a ticket file during the + authentication phase, this file might be associated with a data item. + When + <citerefentry> + <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + is called by the module, the <emphasis>error_status</emphasis> + carries the return value of the + <citerefentry> + <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + or other <emphasis>libpam</emphasis> function as appropriate. Based + on this value the Kerberos module may choose to delete the ticket file + (<emphasis>authentication failure</emphasis>) or leave it in place. + </para> + + <para> + The <emphasis>error_status</emphasis> may have been logically + OR'd with either of the following two values: + </para> + + <variablelist> + <varlistentry> + <term>PAM_DATA_REPLACE</term> + <listitem> + <para> + When a data item is being replaced (through a second call to + <function>pam_set_data</function>) this mask is used. + Otherwise, the call is assumed to be from + <citerefentry> + <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_DATA_SILENT</term> + <listitem> + <para> + Which indicates that the process would prefer to perform the + <function>cleanup()</function> quietly. That is, discourages + logging/messages to the user. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_set_data-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Data was successful stored. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + A NULL pointer was submitted as PAM handle or the + function was called by an application. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_set_data-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam_set_item.3 b/doc/man/pam_set_item.3 new file mode 100644 index 0000000..867897d --- /dev/null +++ b/doc/man/pam_set_item.3 @@ -0,0 +1,193 @@ +'\" t +.\" Title: pam_set_item +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_SET_ITEM" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_set_item \- set and update PAM information +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_modules\&.h> +.fi +.ft +.HP \w'int\ pam_set_item('u +.BI "int pam_set_item(pam_handle_t\ *" "pamh" ", int\ " "item_type" ", const\ void\ *" "item" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_set_item\fR +function allows applications and PAM service modules to access and to update PAM information of +\fIitem_type\fR\&. For this a copy of the object pointed to by the +\fIitem\fR +argument is created\&. The following +\fIitem_type\fRs are supported: +.PP +PAM_SERVICE +.RS 4 +The service name (which identifies that PAM stack that the PAM functions will use to authenticate the program)\&. +.RE +.PP +PAM_USER +.RS 4 +The username of the entity under whose identity service will be given\&. That is, following authentication, +\fIPAM_USER\fR +identifies the local entity that gets to use the service\&. Note, this value can be mapped from something (eg\&., "anonymous") to something else (eg\&. "guest119") by any module in the PAM stack\&. As such an application should consult the value of +\fIPAM_USER\fR +after each call to a PAM function\&. +.RE +.PP +PAM_USER_PROMPT +.RS 4 +The string used when prompting for a user\*(Aqs name\&. The default value for this string is a localized version of "login: "\&. +.RE +.PP +PAM_TTY +.RS 4 +The terminal name: prefixed by +/dev/ +if it is a device file; for graphical, X\-based, applications the value for this item should be the +\fI$DISPLAY\fR +variable\&. +.RE +.PP +PAM_RUSER +.RS 4 +The requesting user name: local name for a locally requesting user or a remote user name for a remote requesting user\&. +.sp +Generally an application or module will attempt to supply the value that is most strongly authenticated (a local account before a remote one\&. The level of trust in this value is embodied in the actual authentication stack associated with the application, so it is ultimately at the discretion of the system administrator\&. +.sp +\fIPAM_RUSER@PAM_RHOST\fR +should always identify the requesting user\&. In some cases, +\fIPAM_RUSER\fR +may be NULL\&. In such situations, it is unclear who the requesting entity is\&. +.RE +.PP +PAM_RHOST +.RS 4 +The requesting hostname (the hostname of the machine from which the +\fIPAM_RUSER\fR +entity is requesting service)\&. That is +\fIPAM_RUSER@PAM_RHOST\fR +does identify the requesting user\&. In some applications, +\fIPAM_RHOST\fR +may be NULL\&. In such situations, it is unclear where the authentication request is originating from\&. +.RE +.PP +PAM_AUTHTOK +.RS 4 +The authentication token (often a password)\&. This token should be ignored by all module functions besides +\fBpam_sm_authenticate\fR(3) +and +\fBpam_sm_chauthtok\fR(3)\&. In the former function it is used to pass the most recent authentication token from one stacked module to another\&. In the latter function the token is used for another purpose\&. It contains the currently active authentication token\&. +.RE +.PP +PAM_OLDAUTHTOK +.RS 4 +The old authentication token\&. This token should be ignored by all module functions except +\fBpam_sm_chauthtok\fR(3)\&. +.RE +.PP +PAM_CONV +.RS 4 +The pam_conv structure\&. See +\fBpam_conv\fR(3)\&. +.RE +.PP +The following additional items are specific to Linux\-PAM and should not be used in portable applications: +.PP +PAM_FAIL_DELAY +.RS 4 +A function pointer to redirect centrally managed failure delays\&. See +\fBpam_fail_delay\fR(3)\&. +.RE +.PP +PAM_XDISPLAY +.RS 4 +The name of the X display\&. For graphical, X\-based applications the value for this item should be the +\fI$DISPLAY\fR +variable\&. This value may be used independently of +\fIPAM_TTY\fR +for passing the name of the display\&. +.RE +.PP +PAM_XAUTHDATA +.RS 4 +A pointer to a structure containing the X authentication data required to make a connection to the display specified by +\fIPAM_XDISPLAY\fR, if such information is necessary\&. See +\fBpam_xauth_data\fR(3)\&. +.RE +.PP +PAM_AUTHTOK_TYPE +.RS 4 +The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: "\&. The example word +\fIUNIX\fR +can be replaced with this item, by default it is empty\&. This item is used by +\fBpam_get_authtok\fR(3)\&. +.RE +.PP +For all +\fIitem_type\fRs, other than PAM_CONV and PAM_FAIL_DELAY, +\fIitem\fR +is a pointer to a <NUL> terminated character string\&. In the case of PAM_CONV, +\fIitem\fR +points to an initialized +\fIpam_conv\fR +structure\&. In the case of PAM_FAIL_DELAY, +\fIitem\fR +is a function pointer: +\fBvoid (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr)\fR +.PP +Both, PAM_AUTHTOK and PAM_OLDAUTHTOK, will be reset before returning to the application\&. Which means an application is not able to access the authentication tokens\&. +.SH "RETURN VALUES" +.PP +PAM_BAD_ITEM +.RS 4 +The application attempted to set an undefined or inaccessible item\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Data was successful updated\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +The +\fIpam_handle_t\fR +passed as first argument was invalid\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_get_item\fR(3), +\fBpam_strerror\fR(3) diff --git a/doc/man/pam_set_item.3.xml b/doc/man/pam_set_item.3.xml new file mode 100644 index 0000000..30ab92b --- /dev/null +++ b/doc/man/pam_set_item.3.xml @@ -0,0 +1,136 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" +[ +<!-- +<!ENTITY accessconf SYSTEM "pam_item_types_std.inc.xml"> +<!ENTITY accessconf SYSTEM "pam_item_types_ext.inc.xml"> +--> +]> + +<refentry id='pam_set_item'> + + <refmeta> + <refentrytitle>pam_set_item</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_set_item-name'> + <refname>pam_set_item</refname> + <refpurpose> + set and update PAM information + </refpurpose> + </refnamediv> + + +<!-- body begins here --> + + <refsynopsisdiv> + + <funcsynopsis id="pam_set_item-synopsis"> + <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_set_item</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>item_type</parameter></paramdef> + <paramdef>const void *<parameter>item</parameter></paramdef> + </funcprototype> + </funcsynopsis> + + </refsynopsisdiv> + + + <refsect1 id="pam_set_item-description"> + <title>DESCRIPTION</title> + <para> + The <function>pam_set_item</function> function allows applications + and PAM service modules to access and to update PAM information + of <emphasis>item_type</emphasis>. For this a copy + of the object pointed to by the <emphasis>item</emphasis> argument + is created. The following <emphasis>item_type</emphasis>s are + supported: + </para> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_item_types_std.inc.xml"/> + + <para> + The following additional items are specific to Linux-PAM and should not be used in + portable applications: + </para> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_item_types_ext.inc.xml"/> + + <para> + For all <emphasis>item_type</emphasis>s, other than PAM_CONV and + PAM_FAIL_DELAY, <emphasis>item</emphasis> is a pointer to a <NUL> + terminated character string. In the case of PAM_CONV, + <emphasis>item</emphasis> points to an initialized + <emphasis>pam_conv</emphasis> structure. In the case of + PAM_FAIL_DELAY, <emphasis>item</emphasis> is a function pointer: + <function>void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr)</function> + </para> + + <para> + Both, PAM_AUTHTOK and PAM_OLDAUTHTOK, will be reset before + returning to the application. Which means an application is not + able to access the authentication tokens. + </para> + + </refsect1> + + <refsect1 id="pam_set_item-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_BAD_ITEM</term> + <listitem> + <para> + The application attempted to set an undefined or inaccessible + item. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Data was successful updated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + The <emphasis>pam_handle_t</emphasis> passed as first + argument was invalid. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_set_item-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam_setcred.3 b/doc/man/pam_setcred.3 new file mode 100644 index 0000000..3ed0fd7 --- /dev/null +++ b/doc/man/pam_setcred.3 @@ -0,0 +1,122 @@ +'\" t +.\" Title: pam_setcred +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_SETCRED" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_setcred \- establish / delete user credentials +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.HP \w'int\ pam_setcred('u +.BI "int pam_setcred(pam_handle_t\ *" "pamh" ", int\ " "flags" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_setcred\fR +function is used to establish, maintain and delete the credentials of a user\&. It should be called to set the credentials after a user has been authenticated and before a session is opened for the user (with +\fBpam_open_session\fR(3))\&. The credentials should be deleted after the session has been closed (with +\fBpam_close_session\fR(3))\&. +.PP +A credential is something that the user possesses\&. It is some property, such as a +\fIKerberos\fR +ticket, or a supplementary group membership that make up the uniqueness of a given user\&. On a Linux system the user\*(Aqs +\fIUID\fR +and +\fIGID\fR\*(Aqs are credentials too\&. However, it has been decided that these properties (along with the default supplementary groups of which the user is a member) are credentials that should be set directly by the application and not by PAM\&. Such credentials should be established, by the application, prior to a call to this function\&. For example, +\fBinitgroups\fR(2) +(or equivalent) should have been performed\&. +.PP +Valid +\fIflags\fR, any one of which, may be logically OR\*(Aqd with +\fBPAM_SILENT\fR, are: +.PP +PAM_ESTABLISH_CRED +.RS 4 +Initialize the credentials for the user\&. +.RE +.PP +PAM_DELETE_CRED +.RS 4 +Delete the user\*(Aqs credentials\&. +.RE +.PP +PAM_REINITIALIZE_CRED +.RS 4 +Fully reinitialize the user\*(Aqs credentials\&. +.RE +.PP +PAM_REFRESH_CRED +.RS 4 +Extend the lifetime of the existing credentials\&. +.RE +.SH "RETURN VALUES" +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_CRED_ERR +.RS 4 +Failed to set user credentials\&. +.RE +.PP +PAM_CRED_EXPIRED +.RS 4 +User credentials are expired\&. +.RE +.PP +PAM_CRED_UNAVAIL +.RS 4 +Failed to retrieve user credentials\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Data was successful stored\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +A NULL pointer was submitted as PAM handle, the function was called by a module or another system error occurred\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +User is not known to an authentication module\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_authenticate\fR(3), +\fBpam_open_session\fR(3), +\fBpam_close_session\fR(3), +\fBpam_strerror\fR(3) diff --git a/doc/man/pam_setcred.3.xml b/doc/man/pam_setcred.3.xml new file mode 100644 index 0000000..6292248 --- /dev/null +++ b/doc/man/pam_setcred.3.xml @@ -0,0 +1,180 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id="pam_setcred"> + + <refmeta> + <refentrytitle>pam_setcred</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_setcred-name"> + <refname>pam_setcred</refname> + <refpurpose> + establish / delete user credentials + </refpurpose> + </refnamediv> + + <!-- body begins here --> + <refsynopsisdiv> + <funcsynopsis id='pam_setcred-synopsis'> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_setcred</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>flags</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_setcred-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_setcred</function> function is used to establish, + maintain and delete the credentials of a user. It should be called + to set the credentials after a user has been authenticated and before + a session is opened for the user (with + <citerefentry> + <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>). The credentials should be deleted after the session + has been closed (with + <citerefentry> + <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>). + </para> + + <para> + A credential is something that the user possesses. It is some + property, such as a <emphasis>Kerberos</emphasis> ticket, or a + supplementary group membership that make up the uniqueness of a + given user. On a Linux system the user's <emphasis>UID</emphasis> + and <emphasis>GID</emphasis>'s are credentials too. However, it + has been decided that these properties (along with the default + supplementary groups of which the user is a member) are credentials + that should be set directly by the application and not by PAM. + Such credentials should be established, by the application, prior + to a call to this function. For example, + <citerefentry> + <refentrytitle>initgroups</refentrytitle><manvolnum>2</manvolnum> + </citerefentry> (or equivalent) should have been performed. + </para> + + <para> + Valid <emphasis>flags</emphasis>, any one of which, may be + logically OR'd with <option>PAM_SILENT</option>, are: + </para> + + <variablelist> + <varlistentry> + <term>PAM_ESTABLISH_CRED</term> + <listitem> + <para>Initialize the credentials for the user.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_DELETE_CRED</term> + <listitem> + <para>Delete the user's credentials.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_REINITIALIZE_CRED</term> + <listitem> + <para>Fully reinitialize the user's credentials.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_REFRESH_CRED</term> + <listitem> + <para>Extend the lifetime of the existing credentials.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_setcred-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_ERR</term> + <listitem> + <para> + Failed to set user credentials. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_EXPIRED</term> + <listitem> + <para> + User credentials are expired. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_UNAVAIL</term> + <listitem> + <para> + Failed to retrieve user credentials. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Data was successful stored. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + A NULL pointer was submitted as PAM handle, the + function was called by a module or another system + error occurred. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User is not known to an authentication module. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id="pam_set_data-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_sm_acct_mgmt.3 b/doc/man/pam_sm_acct_mgmt.3 new file mode 100644 index 0000000..58c0e98 --- /dev/null +++ b/doc/man/pam_sm_acct_mgmt.3 @@ -0,0 +1,105 @@ +'\" t +.\" Title: pam_sm_acct_mgmt +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_SM_ACCT_MGMT" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_sm_acct_mgmt \- PAM service function for account management +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_modules\&.h> +.fi +.ft +.HP \w'int\ pam_sm_acct_mgmt('u +.BI "int pam_sm_acct_mgmt(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_sm_acct_mgmt\fR +function is the service module\*(Aqs implementation of the +\fBpam_acct_mgmt\fR(3) +interface\&. +.PP +This function performs the task of establishing whether the user is permitted to gain access at this time\&. It should be understood that the user has previously been validated by an authentication module\&. This function checks for other things\&. Such things might be: the time of day or the date, the terminal line, remote hostname, etc\&. This function may also determine things like the expiration on passwords, and respond that the user change it before continuing\&. +.PP +Valid flags, which may be logically OR\*(Aqd with +\fIPAM_SILENT\fR, are: +.PP +PAM_SILENT +.RS 4 +Do not emit any messages\&. +.RE +.PP +PAM_DISALLOW_NULL_AUTHTOK +.RS 4 +Return +\fBPAM_AUTH_ERR\fR +if the database of authentication tokens for this authentication mechanism has a +\fINULL\fR +entry for the user\&. +.RE +.SH "RETURN VALUES" +.PP +PAM_ACCT_EXPIRED +.RS 4 +User account has expired\&. +.RE +.PP +PAM_AUTH_ERR +.RS 4 +Authentication failure\&. +.RE +.PP +PAM_NEW_AUTHTOK_REQD +.RS 4 +The user\*(Aqs authentication token has expired\&. Before calling this function again the application will arrange for a new one to be given\&. This will likely result in a call to +\fBpam_sm_chauthtok()\fR\&. +.RE +.PP +PAM_PERM_DENIED +.RS 4 +Permission denied\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +The authentication token was successfully updated\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +User unknown to password service\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam\fR(3), +\fBpam_acct_mgmt\fR(3), +\fBpam_sm_chauthtok\fR(3), +\fBpam_strerror\fR(3), +\fBPAM\fR(8) diff --git a/doc/man/pam_sm_acct_mgmt.3.xml b/doc/man/pam_sm_acct_mgmt.3.xml new file mode 100644 index 0000000..b37dc30 --- /dev/null +++ b/doc/man/pam_sm_acct_mgmt.3.xml @@ -0,0 +1,154 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<refentry id='pam_sm_acct_mgmt'> + <refmeta> + <refentrytitle>pam_sm_acct_mgmt</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_sm_acct_mgmt-name"> + <refname>pam_sm_acct_mgmt</refname> + <refpurpose>PAM service function for account management</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id='pam_sm_acct_mgmt-synopsis'> + <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_sm_acct_mgmt</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>flags</parameter></paramdef> + <paramdef>int <parameter>argc</parameter></paramdef> + <paramdef>const char **<parameter>argv</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_sm_acct_mgmt-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_sm_acct_mgmt</function> function is the service + module's implementation of the + <citerefentry> + <refentrytitle>pam_acct_mgmt</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> interface. + </para> + <para> + This function performs the task of establishing whether the user is + permitted to gain access at this time. It should be understood that + the user has previously been validated by an authentication + module. This function checks for other things. Such things might be: + the time of day or the date, the terminal line, remote hostname, etc. + This function may also determine things like the expiration on + passwords, and respond that the user change it before continuing. + </para> + <para> + Valid flags, which may be logically OR'd with + <emphasis>PAM_SILENT</emphasis>, are: + </para> + <variablelist> + <varlistentry> + <term>PAM_SILENT</term> + <listitem> + <para> + Do not emit any messages. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_DISALLOW_NULL_AUTHTOK</term> + <listitem> + <para> + Return <emphasis remap='B'>PAM_AUTH_ERR</emphasis> if the + database of authentication tokens for this authentication + mechanism has a <emphasis>NULL</emphasis> entry for the user. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_sm_acct_mgmt-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_ACCT_EXPIRED</term> + <listitem> + <para> + User account has expired. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + Authentication failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_NEW_AUTHTOK_REQD</term> + <listitem> + <para> + The user's authentication token has expired. Before calling + this function again the application will arrange for a new + one to be given. This will likely result in a call to + <function>pam_sm_chauthtok()</function>. + + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para> + Permission denied. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The authentication token was successfully updated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User unknown to password service. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_sm_acct_mgmt-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_acct_mgmt</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_sm_authenticate.3 b/doc/man/pam_sm_authenticate.3 new file mode 100644 index 0000000..3e4b868 --- /dev/null +++ b/doc/man/pam_sm_authenticate.3 @@ -0,0 +1,106 @@ +'\" t +.\" Title: pam_sm_authenticate +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_SM_AUTHENTICATE" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_sm_authenticate \- PAM service function for user authentication +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_modules\&.h> +.fi +.ft +.HP \w'int\ pam_sm_authenticate('u +.BI "int pam_sm_authenticate(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_sm_authenticate\fR +function is the service module\*(Aqs implementation of the +\fBpam_authenticate\fR(3) +interface\&. +.PP +This function performs the task of authenticating the user\&. +.PP +Valid flags, which may be logically OR\*(Aqd with +\fIPAM_SILENT\fR, are: +.PP +PAM_SILENT +.RS 4 +Do not emit any messages\&. +.RE +.PP +PAM_DISALLOW_NULL_AUTHTOK +.RS 4 +Return +\fBPAM_AUTH_ERR\fR +if the database of authentication tokens for this authentication mechanism has a +\fINULL\fR +entry for the user\&. Without this flag, such a +\fINULL\fR +token will lead to a success without the user being prompted\&. +.RE +.SH "RETURN VALUES" +.PP +PAM_AUTH_ERR +.RS 4 +Authentication failure\&. +.RE +.PP +PAM_CRED_INSUFFICIENT +.RS 4 +For some reason the application does not have sufficient credentials to authenticate the user\&. +.RE +.PP +PAM_AUTHINFO_UNAVAIL +.RS 4 +The modules were not able to access the authentication information\&. This might be due to a network or hardware failure etc\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +The authentication token was successfully updated\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +The supplied username is not known to the authentication service\&. +.RE +.PP +PAM_MAXTRIES +.RS 4 +One or more of the authentication modules has reached its limit of tries authenticating the user\&. Do not try again\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam\fR(3), +\fBpam_authenticate\fR(3), +\fBpam_sm_setcred\fR(3), +\fBpam_strerror\fR(3), +\fBPAM\fR(8) diff --git a/doc/man/pam_sm_authenticate.3.xml b/doc/man/pam_sm_authenticate.3.xml new file mode 100644 index 0000000..ef3a8f1 --- /dev/null +++ b/doc/man/pam_sm_authenticate.3.xml @@ -0,0 +1,151 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<refentry id='pam_sm_authenticate'> + <refmeta> + <refentrytitle>pam_sm_authenticate</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_sm_authenticate-name"> + <refname>pam_sm_authenticate</refname> + <refpurpose>PAM service function for user authentication</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id='pam_sm_authenticate-synopsis'> + <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_sm_authenticate</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>flags</parameter></paramdef> + <paramdef>int <parameter>argc</parameter></paramdef> + <paramdef>const char **<parameter>argv</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_sm_authenticate-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_sm_authenticate</function> function is the service + module's implementation of the + <citerefentry> + <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> interface. + </para> + <para> + This function performs the task of authenticating the user. + </para> + <para> + Valid flags, which may be logically OR'd with + <emphasis>PAM_SILENT</emphasis>, are: + </para> + <variablelist> + <varlistentry> + <term>PAM_SILENT</term> + <listitem> + <para> + Do not emit any messages. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_DISALLOW_NULL_AUTHTOK</term> + <listitem> + <para> + Return <emphasis remap='B'>PAM_AUTH_ERR</emphasis> if the + database of authentication tokens for this authentication + mechanism has a <emphasis>NULL</emphasis> entry for the user. + Without this flag, such a <emphasis>NULL</emphasis> token + will lead to a success without the user being prompted. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_sm_authenticate-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + Authentication failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_INSUFFICIENT</term> + <listitem> + <para> + For some reason the application does not have sufficient + credentials to authenticate the user. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHINFO_UNAVAIL</term> + <listitem> + <para> + The modules were not able to access the authentication + information. This might be due to a network or hardware + failure etc. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The authentication token was successfully updated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The supplied username is not known to the authentication + service. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_MAXTRIES</term> + <listitem> + <para> + One or more of the authentication modules has reached its + limit of tries authenticating the user. Do not try again. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_sm_authenticate-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_sm_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_sm_chauthtok.3 b/doc/man/pam_sm_chauthtok.3 new file mode 100644 index 0000000..e68876f --- /dev/null +++ b/doc/man/pam_sm_chauthtok.3 @@ -0,0 +1,137 @@ +'\" t +.\" Title: pam_sm_chauthtok +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_SM_CHAUTHTOK" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_sm_chauthtok \- PAM service function for authentication token management +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_modules\&.h> +.fi +.ft +.HP \w'int\ pam_sm_chauthtok('u +.BI "int pam_sm_chauthtok(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_sm_chauthtok\fR +function is the service module\*(Aqs implementation of the +\fBpam_chauthtok\fR(3) +interface\&. +.PP +This function is used to (re\-)set the authentication token of the user\&. +.PP +Valid flags, which may be logically OR\*(Aqd with +\fIPAM_SILENT\fR, are: +.PP +PAM_SILENT +.RS 4 +Do not emit any messages\&. +.RE +.PP +PAM_CHANGE_EXPIRED_AUTHTOK +.RS 4 +This argument indicates to the module that the user\*(Aqs authentication token (password) should only be changed if it has expired\&. This flag is optional and +\fImust\fR +be combined with one of the following two flags\&. Note, however, the following two options are +\fImutually exclusive\fR\&. +.RE +.PP +PAM_PRELIM_CHECK +.RS 4 +This indicates that the modules are being probed as to their ready status for altering the user\*(Aqs authentication token\&. If the module requires access to another system over some network it should attempt to verify it can connect to this system on receiving this flag\&. If a module cannot establish it is ready to update the user\*(Aqs authentication token it should return +\fBPAM_TRY_AGAIN\fR, this information will be passed back to the application\&. +.sp +If the control value +\fIsufficient\fR +is used in the password stack, the +\fIPAM_PRELIM_CHECK\fR +section of the modules following that control value is not always executed\&. +.RE +.PP +PAM_UPDATE_AUTHTOK +.RS 4 +This informs the module that this is the call it should change the authorization tokens\&. If the flag is logically OR\*(Aqd with +\fBPAM_CHANGE_EXPIRED_AUTHTOK\fR, the token is only changed if it has actually expired\&. +.RE +.PP +The PAM library calls this function twice in succession\&. The first time with +\fBPAM_PRELIM_CHECK\fR +and then, if the module does not return +\fBPAM_TRY_AGAIN\fR, subsequently with +\fBPAM_UPDATE_AUTHTOK\fR\&. It is only on the second call that the authorization token is (possibly) changed\&. +.SH "RETURN VALUES" +.PP +PAM_AUTHTOK_ERR +.RS 4 +The module was unable to obtain the new authentication token\&. +.RE +.PP +PAM_AUTHTOK_RECOVERY_ERR +.RS 4 +The module was unable to obtain the old authentication token\&. +.RE +.PP +PAM_AUTHTOK_LOCK_BUSY +.RS 4 +Cannot change the authentication token since it is currently locked\&. +.RE +.PP +PAM_AUTHTOK_DISABLE_AGING +.RS 4 +Authentication token aging has been disabled\&. +.RE +.PP +PAM_PERM_DENIED +.RS 4 +Permission denied\&. +.RE +.PP +PAM_TRY_AGAIN +.RS 4 +Preliminary check was unsuccessful\&. Signals an immediate return to the application is desired\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +The authentication token was successfully updated\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +User unknown to password service\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam\fR(3), +\fBpam_chauthtok\fR(3), +\fBpam_sm_chauthtok\fR(3), +\fBpam_strerror\fR(3), +\fBPAM\fR(8) diff --git a/doc/man/pam_sm_chauthtok.3.xml b/doc/man/pam_sm_chauthtok.3.xml new file mode 100644 index 0000000..25e17d0 --- /dev/null +++ b/doc/man/pam_sm_chauthtok.3.xml @@ -0,0 +1,204 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<refentry id='pam_sm_chauthtok'> + <refmeta> + <refentrytitle>pam_sm_chauthtok</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_sm_chauthtok-name"> + <refname>pam_sm_chauthtok</refname> + <refpurpose>PAM service function for authentication token management</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id='pam_sm_chauthtok-synopsis'> + <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_sm_chauthtok</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>flags</parameter></paramdef> + <paramdef>int <parameter>argc</parameter></paramdef> + <paramdef>const char **<parameter>argv</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_sm_chauthtok-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_sm_chauthtok</function> function is the service + module's implementation of the + <citerefentry> + <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> interface. + </para> + <para> + This function is used to (re-)set the authentication token of the user. + </para> + <para> + Valid flags, which may be logically OR'd with + <emphasis>PAM_SILENT</emphasis>, are: + </para> + <variablelist> + <varlistentry> + <term>PAM_SILENT</term> + <listitem> + <para> + Do not emit any messages. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CHANGE_EXPIRED_AUTHTOK</term> + <listitem> + <para> + This argument indicates to the module that the user's + authentication token (password) should only be changed if + it has expired. This flag is optional and + <emphasis>must</emphasis> be combined with one of the + following two flags. Note, however, the following two options + are <emphasis>mutually exclusive</emphasis>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PRELIM_CHECK</term> + <listitem> + <para> + This indicates that the modules are being probed as to + their ready status for altering the user's authentication + token. If the module requires access to another system over + some network it should attempt to verify it can connect to + this system on receiving this flag. If a module cannot establish + it is ready to update the user's authentication token it should + return <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, this + information will be passed back to the application. + </para> + <para> + If the control value <emphasis>sufficient</emphasis> is used in + the password stack, the <emphasis>PAM_PRELIM_CHECK</emphasis> section + of the modules following that control value is not always executed. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_UPDATE_AUTHTOK</term> + <listitem> + <para> + This informs the module that this is the call it should change + the authorization tokens. If the flag is logically OR'd with + <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the + token is only changed if it has actually expired. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + The PAM library calls this function twice in succession. The first + time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then, + if the module does not return + <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, subsequently with + <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on + the second call that the authorization token is (possibly) changed. + </para> + </refsect1> + + <refsect1 id="pam_sm_chauthtok-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTHTOK_ERR</term> + <listitem> + <para> + The module was unable to obtain the new authentication token. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_RECOVERY_ERR</term> + <listitem> + <para> + The module was unable to obtain the old authentication token. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_LOCK_BUSY</term> + <listitem> + <para> + Cannot change the authentication token since it is currently + locked. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTHTOK_DISABLE_AGING</term> + <listitem> + <para> + Authentication token aging has been disabled. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para> + Permission denied. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_TRY_AGAIN</term> + <listitem> + <para> + Preliminary check was unsuccessful. Signals an immediate + return to the application is desired. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The authentication token was successfully updated. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User unknown to password service. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_sm_chauthtok-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_sm_close_session.3 b/doc/man/pam_sm_close_session.3 new file mode 100644 index 0000000..c1b4d5d --- /dev/null +++ b/doc/man/pam_sm_close_session.3 @@ -0,0 +1,74 @@ +'\" t +.\" Title: pam_sm_close_session +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_SM_CLOSE_SESSION" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_sm_close_session \- PAM service function to terminate session management +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_modules\&.h> +.fi +.ft +.HP \w'int\ pam_sm_close_session('u +.BI "int pam_sm_close_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_sm_close_session\fR +function is the service module\*(Aqs implementation of the +\fBpam_close_session\fR(3) +interface\&. +.PP +This function is called to terminate a session\&. The only valid value for +\fIflags\fR +is zero or: +.PP +PAM_SILENT +.RS 4 +Do not emit any messages\&. +.RE +.SH "RETURN VALUES" +.PP +PAM_SESSION_ERR +.RS 4 +Cannot make/remove an entry for the specified session\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +The session was successfully terminated\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam\fR(3), +\fBpam_close_session\fR(3), +\fBpam_sm_close_session\fR(3), +\fBpam_strerror\fR(3), +\fBPAM\fR(8) diff --git a/doc/man/pam_sm_close_session.3.xml b/doc/man/pam_sm_close_session.3.xml new file mode 100644 index 0000000..6d8278e --- /dev/null +++ b/doc/man/pam_sm_close_session.3.xml @@ -0,0 +1,99 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-close.org/docbook/xml/4.1.2/docbookx.dtd"> +<refentry id='pam_sm_close_session'> + <refmeta> + <refentrytitle>pam_sm_close_session</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_sm_close_session-name"> + <refname>pam_sm_close_session</refname> + <refpurpose>PAM service function to terminate session management</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id='pam_sm_close_session-synopsis'> + <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_sm_close_session</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>flags</parameter></paramdef> + <paramdef>int <parameter>argc</parameter></paramdef> + <paramdef>const char **<parameter>argv</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_sm_close_session-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_sm_close_session</function> function is the service + module's implementation of the + <citerefentry> + <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> interface. + </para> + <para> + This function is called to terminate a session. The only valid + value for <varname role='parameter'>flags</varname> is zero or: + </para> + <variablelist> + <varlistentry> + <term>PAM_SILENT</term> + <listitem> + <para> + Do not emit any messages. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_sm_close_session-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + Cannot make/remove an entry for the specified session. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The session was successfully terminated. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_sm_close_session-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_sm_close_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_sm_open_session.3 b/doc/man/pam_sm_open_session.3 new file mode 100644 index 0000000..b979b12 --- /dev/null +++ b/doc/man/pam_sm_open_session.3 @@ -0,0 +1,74 @@ +'\" t +.\" Title: pam_sm_open_session +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_SM_OPEN_SESSION" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_sm_open_session \- PAM service function to start session management +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_modules\&.h> +.fi +.ft +.HP \w'int\ pam_sm_open_session('u +.BI "int pam_sm_open_session(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_sm_open_session\fR +function is the service module\*(Aqs implementation of the +\fBpam_open_session\fR(3) +interface\&. +.PP +This function is called to commence a session\&. The only valid value for +\fIflags\fR +is zero or: +.PP +PAM_SILENT +.RS 4 +Do not emit any messages\&. +.RE +.SH "RETURN VALUES" +.PP +PAM_SESSION_ERR +.RS 4 +Cannot make/remove an entry for the specified session\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +The session was successfully started\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam\fR(3), +\fBpam_open_session\fR(3), +\fBpam_sm_close_session\fR(3), +\fBpam_strerror\fR(3), +\fBPAM\fR(8) diff --git a/doc/man/pam_sm_open_session.3.xml b/doc/man/pam_sm_open_session.3.xml new file mode 100644 index 0000000..ead7ca7 --- /dev/null +++ b/doc/man/pam_sm_open_session.3.xml @@ -0,0 +1,99 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<refentry id='pam_sm_open_session'> + <refmeta> + <refentrytitle>pam_sm_open_session</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_sm_open_session-name"> + <refname>pam_sm_open_session</refname> + <refpurpose>PAM service function to start session management</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id='pam_sm_open_session-synopsis'> + <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_sm_open_session</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>flags</parameter></paramdef> + <paramdef>int <parameter>argc</parameter></paramdef> + <paramdef>const char **<parameter>argv</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_sm_open_session-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_sm_open_session</function> function is the service + module's implementation of the + <citerefentry> + <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> interface. + </para> + <para> + This function is called to commence a session. The only valid + value for <varname role='parameter'>flags</varname> is zero or: + </para> + <variablelist> + <varlistentry> + <term>PAM_SILENT</term> + <listitem> + <para> + Do not emit any messages. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_sm_open_session-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + Cannot make/remove an entry for the specified session. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The session was successfully started. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_sm_open_session-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_sm_close_session</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_sm_setcred.3 b/doc/man/pam_sm_setcred.3 new file mode 100644 index 0000000..6493870 --- /dev/null +++ b/doc/man/pam_sm_setcred.3 @@ -0,0 +1,128 @@ +'\" t +.\" Title: pam_sm_setcred +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_SM_SETCRED" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_sm_setcred \- PAM service function to alter credentials +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_modules\&.h> +.fi +.ft +.HP \w'int\ pam_sm_setcred('u +.BI "int pam_sm_setcred(pam_handle_t\ *" "pamh" ", int\ " "flags" ", int\ " "argc" ", const\ char\ **" "argv" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_sm_setcred\fR +function is the service module\*(Aqs implementation of the +\fBpam_setcred\fR(3) +interface\&. +.PP +This function performs the task of altering the credentials of the user with respect to the corresponding authorization scheme\&. Generally, an authentication module may have access to more information about a user than their authentication token\&. This function is used to make such information available to the application\&. It should only be called +\fIafter\fR +the user has been authenticated but before a session has been established\&. +.PP +Valid flags, which may be logically OR\*(Aqd with +\fIPAM_SILENT\fR, are: +.PP +PAM_SILENT +.RS 4 +Do not emit any messages\&. +.RE +.PP +PAM_ESTABLISH_CRED +.RS 4 +Initialize the credentials for the user\&. +.RE +.PP +PAM_DELETE_CRED +.RS 4 +Delete the credentials associated with the authentication service\&. +.RE +.PP +PAM_REINITIALIZE_CRED +.RS 4 +Reinitialize the user credentials\&. +.RE +.PP +PAM_REFRESH_CRED +.RS 4 +Extend the lifetime of the user credentials\&. +.RE +.PP +The way the +\fBauth\fR +stack is navigated in order to evaluate the +\fBpam_setcred\fR() function call, independent of the +\fBpam_sm_setcred\fR() return codes, is exactly the same way that it was navigated when evaluating the +\fBpam_authenticate\fR() library call\&. Typically, if a stack entry was ignored in evaluating +\fBpam_authenticate\fR(), it will be ignored when libpam evaluates the +\fBpam_setcred\fR() function call\&. Otherwise, the return codes from each module specific +\fBpam_sm_setcred\fR() call are treated as +\fBrequired\fR\&. +.SH "RETURN VALUES" +.PP +PAM_CRED_UNAVAIL +.RS 4 +This module cannot retrieve the user\*(Aqs credentials\&. +.RE +.PP +PAM_CRED_EXPIRED +.RS 4 +The user\*(Aqs credentials have expired\&. +.RE +.PP +PAM_CRED_ERR +.RS 4 +This module was unable to set the credentials of the user\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +The user credential was successfully set\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +The user is not known to this authentication module\&. +.RE +.PP +These, non\-\fIPAM_SUCCESS\fR, return values will typically lead to the credential stack +\fIfailing\fR\&. The first such error will dominate in the return value of +\fBpam_setcred\fR()\&. +.SH "SEE ALSO" +.PP +\fBpam\fR(3), +\fBpam_authenticate\fR(3), +\fBpam_setcred\fR(3), +\fBpam_sm_authenticate\fR(3), +\fBpam_strerror\fR(3), +\fBPAM\fR(8) diff --git a/doc/man/pam_sm_setcred.3.xml b/doc/man/pam_sm_setcred.3.xml new file mode 100644 index 0000000..bb04a2d --- /dev/null +++ b/doc/man/pam_sm_setcred.3.xml @@ -0,0 +1,184 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> +<refentry id='pam_sm_setcred'> + <refmeta> + <refentrytitle>pam_sm_setcred</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_sm_setcred-name"> + <refname>pam_sm_setcred</refname> + <refpurpose>PAM service function to alter credentials</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id='pam_sm_setcred-synopsis'> + <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_sm_setcred</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>flags</parameter></paramdef> + <paramdef>int <parameter>argc</parameter></paramdef> + <paramdef>const char **<parameter>argv</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id='pam_sm_setcred-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_sm_setcred</function> function is the service + module's implementation of the + <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> interface. + </para> + <para> + This function performs the task of altering the credentials of the + user with respect to the corresponding authorization + scheme. Generally, an authentication module may have access to more + information about a user than their authentication token. This + function is used to make such information available to the + application. It should only be called <emphasis>after</emphasis> the + user has been authenticated but before a session has been established. + </para> + <para> + Valid flags, which may be logically OR'd with + <emphasis>PAM_SILENT</emphasis>, are: + </para> + <variablelist> + <varlistentry> + <term>PAM_SILENT</term> + <listitem> + <para> + Do not emit any messages. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_ESTABLISH_CRED</term> + <listitem> + <para>Initialize the credentials for the user.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_DELETE_CRED</term> + <listitem> + <para> + Delete the credentials associated with the authentication service. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_REINITIALIZE_CRED</term> + <listitem> + <para> + Reinitialize the user credentials. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_REFRESH_CRED</term> + <listitem> + <para> + Extend the lifetime of the user credentials. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + The way the <emphasis remap='B'>auth</emphasis> stack is + navigated in order to evaluate the <function>pam_setcred</function>() + function call, independent of the <function>pam_sm_setcred</function>() + return codes, is exactly the same way that it was navigated when + evaluating the <function>pam_authenticate</function>() library + call. Typically, if a stack entry was ignored in evaluating + <function>pam_authenticate</function>(), it will be ignored when + libpam evaluates the <function>pam_setcred</function>() function + call. Otherwise, the return codes from each module specific + <function>pam_sm_setcred</function>() call are treated as + <emphasis remap='B'>required</emphasis>. + </para> + </refsect1> + + <refsect1 id="pam_sm_setcred-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_CRED_UNAVAIL</term> + <listitem> + <para> + This module cannot retrieve the user's credentials. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_EXPIRED</term> + <listitem> + <para> + The user's credentials have expired. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_CRED_ERR</term> + <listitem> + <para> + This module was unable to set the credentials of the user. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The user credential was successfully set. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The user is not known to this authentication module. + </para> + </listitem> + </varlistentry> + </variablelist> + <para> + These, non-<emphasis>PAM_SUCCESS</emphasis>, return values will + typically lead to the credential stack <emphasis>failing</emphasis>. + The first such error will dominate in the return value of + <function>pam_setcred</function>(). + </para> + </refsect1> + + <refsect1 id='pam_sm_setcred-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_sm_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_start.3 b/doc/man/pam_start.3 new file mode 100644 index 0000000..35ba148 --- /dev/null +++ b/doc/man/pam_start.3 @@ -0,0 +1,117 @@ +'\" t +.\" Title: pam_start +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_START" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_start, pam_start_confdir \- initialization of PAM transaction +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.HP \w'int\ pam_start('u +.BI "int pam_start(const\ char\ *" "service_name" ", const\ char\ *" "user" ", const\ struct\ pam_conv\ *" "pam_conversation" ", pam_handle_t\ **" "pamh" ");" +.HP \w'int\ pam_start_confdir('u +.BI "int pam_start_confdir(const\ char\ *" "service_name" ", const\ char\ *" "user" ", const\ struct\ pam_conv\ *" "pam_conversation" ", const\ char\ *" "confdir" ", pam_handle_t\ **" "pamh" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_start\fR +function creates the PAM context and initiates the PAM transaction\&. It is the first of the PAM functions that needs to be called by an application\&. The transaction state is contained entirely within the structure identified by this handle, so it is possible to have multiple transactions in parallel\&. But it is not possible to use the same handle for different transactions, a new one is needed for every new context\&. +.PP +The +\fIservice_name\fR +argument specifies the name of the service to apply and will be stored as PAM_SERVICE item in the new context\&. The policy for the service will be read from the file +/etc/pam\&.d/service_name +or, if that file does not exist, from +/etc/pam\&.conf\&. +.PP +The +\fIuser\fR +argument can specify the name of the target user and will be stored as PAM_USER item\&. If the argument is NULL, the module has to ask for this item if necessary\&. +.PP +The +\fIpam_conversation\fR +argument points to a +\fIstruct pam_conv\fR +describing the conversation function to use\&. An application must provide this for direct communication between a loaded module and the application\&. +.PP +Following a successful return (PAM_SUCCESS) the contents of +\fIpamh\fR +is a handle that contains the PAM context for successive calls to the PAM functions\&. In an error case is the content of +\fIpamh\fR +undefined\&. +.PP +The +\fIpam_handle_t\fR +is a blind structure and the application should not attempt to probe it directly for information\&. Instead the PAM library provides the functions +\fBpam_set_item\fR(3) +and +\fBpam_get_item\fR(3)\&. The PAM handle cannot be used for multiple authentications at the same time as long as +\fBpam_end\fR +was not called on it before\&. +.PP +The +\fBpam_start_confdir\fR +function behaves like the +\fBpam_start\fR +function but it also allows setting +\fIconfdir\fR +argument with a path to a directory to override the default (/etc/pam\&.d) path for service policy files\&. If the +\fIconfdir\fR +is NULL, the function works exactly the same as +\fBpam_start\fR\&. +.SH "RETURN VALUES" +.PP +PAM_ABORT +.RS 4 +General failure\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Transaction was successfully started\&. +.RE +.PP +PAM_SYSTEM_ERR +.RS 4 +System error, for example a NULL pointer was submitted instead of a pointer to data\&. +.RE +.SH "SEE ALSO" +.PP +\fBpam_get_data\fR(3), +\fBpam_set_data\fR(3), +\fBpam_end\fR(3), +\fBpam_strerror\fR(3) diff --git a/doc/man/pam_start.3.xml b/doc/man/pam_start.3.xml new file mode 100644 index 0000000..1d544e6 --- /dev/null +++ b/doc/man/pam_start.3.xml @@ -0,0 +1,167 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_start'> + + <refmeta> + <refentrytitle>pam_start</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_start-name"> + <refname>pam_start</refname> + <refname>pam_start_confdir</refname> + <refpurpose>initialization of PAM transaction</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id="pam_start-synopsis"> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + <funcprototype> + <funcdef>int <function>pam_start</function></funcdef> + <paramdef>const char *<parameter>service_name</parameter></paramdef> + <paramdef>const char *<parameter>user</parameter></paramdef> + <paramdef>const struct pam_conv *<parameter>pam_conversation</parameter></paramdef> + <paramdef>pam_handle_t **<parameter>pamh</parameter></paramdef> + </funcprototype> + <funcprototype> + <funcdef>int <function>pam_start_confdir</function></funcdef> + <paramdef>const char *<parameter>service_name</parameter></paramdef> + <paramdef>const char *<parameter>user</parameter></paramdef> + <paramdef>const struct pam_conv *<parameter>pam_conversation</parameter></paramdef> + <paramdef>const char *<parameter>confdir</parameter></paramdef> + <paramdef>pam_handle_t **<parameter>pamh</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_start-description"> + <title>DESCRIPTION</title> + <para> + The <function>pam_start</function> function creates the PAM context + and initiates the PAM transaction. It is the first of the PAM + functions that needs to be called by an application. The transaction + state is contained entirely within the structure identified by this + handle, so it is possible to have multiple transactions in parallel. + But it is not possible to use the same handle for different + transactions, a new one is needed for every new context. + </para> + + <para> + The <emphasis>service_name</emphasis> argument specifies the name + of the service to apply and will be stored as PAM_SERVICE item in + the new context. The policy for the service will be read from the + file <filename>/etc/pam.d/service_name</filename> or, if that file + does not exist, from <filename>/etc/pam.conf</filename>. + </para> + + <para> + The <emphasis>user</emphasis> argument can specify the name + of the target user and will be stored as PAM_USER item. If + the argument is NULL, the module has to ask for this item if + necessary. + </para> + + <para> + The <emphasis>pam_conversation</emphasis> argument points to + a <emphasis>struct pam_conv</emphasis> describing the + conversation function to use. An application must provide this + for direct communication between a loaded module and the + application. + </para> + + <para> + Following a successful return (PAM_SUCCESS) the contents of + <emphasis>pamh</emphasis> is a handle that contains the PAM + context for successive calls to the PAM functions. In an error + case is the content of <emphasis>pamh</emphasis> undefined. + </para> + + <para> + The <emphasis>pam_handle_t</emphasis> is a blind structure and + the application should not attempt to probe it directly for + information. Instead the PAM library provides the functions + <citerefentry> + <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> and + <citerefentry> + <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + The PAM handle cannot be used for multiple authentications at the + same time as long as <function>pam_end</function> was not called on + it before. + </para> + + <para> + The <function>pam_start_confdir</function> function behaves + like the <function>pam_start</function> function but it also + allows setting <emphasis>confdir</emphasis> argument with + a path to a directory to override the default + (<filename>/etc/pam.d</filename>) path for service policy + files. If the <emphasis>confdir</emphasis> is NULL, the function + works exactly the same as <function>pam_start</function>. + </para> + + </refsect1> + <refsect1 id="pam_start-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + General failure. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Transaction was successfully started. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SYSTEM_ERR</term> + <listitem> + <para> + System error, for example a NULL pointer was submitted + instead of a pointer to data. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_start-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_strerror.3 b/doc/man/pam_strerror.3 new file mode 100644 index 0000000..0d15203 --- /dev/null +++ b/doc/man/pam_strerror.3 @@ -0,0 +1,52 @@ +'\" t +.\" Title: pam_strerror +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_STRERROR" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_strerror \- return string describing PAM error code +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.HP \w'const\ char\ *pam_strerror('u +.BI "const char *pam_strerror(pam_handle_t\ *" "pamh" ", int\ " "errnum" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_strerror\fR +function returns a pointer to a string describing the error code passed in the argument +\fIerrnum\fR, possibly using the LC_MESSAGES part of the current locale to select the appropriate language\&. This string must not be modified by the application\&. No library function will modify this string\&. +.SH "RETURN VALUES" +.PP +This function returns always a pointer to a string\&. +.SH "SEE ALSO" +.PP +\fBpam\fR(8) diff --git a/doc/man/pam_strerror.3.xml b/doc/man/pam_strerror.3.xml new file mode 100644 index 0000000..954e131 --- /dev/null +++ b/doc/man/pam_strerror.3.xml @@ -0,0 +1,58 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_strerror'> + + <refmeta> + <refentrytitle>pam_strerror</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_strerror-name"> + <refname>pam_strerror</refname> + <refpurpose>return string describing PAM error code</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <funcsynopsis id="pam_strerror-synopsis"> + <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> + <funcprototype> + <funcdef>const char *<function>pam_strerror</function></funcdef> + <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>errnum</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_strerror-description"> + <title>DESCRIPTION</title> + <para> + The <function>pam_strerror</function> function returns a pointer to + a string describing the error code passed in the argument + <emphasis>errnum</emphasis>, possibly using the LC_MESSAGES part of + the current locale to select the appropriate language. This string + must not be modified by the application. No library function will + modify this string. + </para> + </refsect1> + <refsect1 id="pam_strerror-return_values"> + <title>RETURN VALUES</title> + <para> + This function returns always a pointer to a string. + </para> + </refsect1> + + <refsect1 id="pam_strerror-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> diff --git a/doc/man/pam_syslog.3 b/doc/man/pam_syslog.3 new file mode 100644 index 0000000..eda2e40 --- /dev/null +++ b/doc/man/pam_syslog.3 @@ -0,0 +1,77 @@ +'\" t +.\" Title: pam_syslog +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_SYSLOG" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_syslog, pam_vsyslog \- send messages to the system logger +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <syslog\&.h> +.fi +.ft +.sp +.ft B +.nf +#include <security/pam_ext\&.h> +.fi +.ft +.HP \w'void\ pam_syslog('u +.BI "void pam_syslog(const\ pam_handle_t\ *" "pamh" ", int\ " "priority" ", const\ char\ *" "fmt" ", " "\&.\&.\&." ");" +.HP \w'void\ pam_vsyslog('u +.BI "void pam_vsyslog(const\ pam_handle_t\ *" "pamh" ", int\ " "priority" ", const\ char\ *" "fmt" ", va_list\ " "args" ");" +.SH "DESCRIPTION" +.PP +The +\fBpam_syslog\fR +function logs messages using +\fBsyslog\fR(3) +and is intended for internal use by Linux\-PAM and PAM service modules\&. The +\fIpriority\fR +argument is formed by ORing the facility and the level values as documented in the +\fBsyslog\fR(3) +manual page\&. +.PP +The +\fBpam_vsyslog\fR +function performs the same task as +\fBpam_syslog()\fR +with the difference that it takes a set of arguments which have been obtained using the +\fBstdarg\fR(3) +variable argument list macros\&. +.SH "SEE ALSO" +.PP +\fBpam\fR(8) +.SH "STANDARDS" +.PP +The +\fBpam_syslog\fR +and +\fBpam_vsyslog\fR +functions are Linux\-PAM extensions\&. diff --git a/doc/man/pam_syslog.3.xml b/doc/man/pam_syslog.3.xml new file mode 100644 index 0000000..ca28587 --- /dev/null +++ b/doc/man/pam_syslog.3.xml @@ -0,0 +1,82 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id="pam_syslog"> + + <refmeta> + <refentrytitle>pam_syslog</refentrytitle> + <manvolnum>3</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_syslog-name"> + <refname>pam_syslog</refname> + <refname>pam_vsyslog</refname> + <refpurpose>send messages to the system logger</refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv id="pam_syslog-synopsis"> + <funcsynopsis> + <funcsynopsisinfo>#include <syslog.h></funcsynopsisinfo> + <funcsynopsisinfo>#include <security/pam_ext.h></funcsynopsisinfo> + <funcprototype> + <funcdef>void <function>pam_syslog</function></funcdef> + <paramdef>const pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>priority</parameter></paramdef> + <paramdef>const char *<parameter>fmt</parameter></paramdef> + <paramdef><parameter>...</parameter></paramdef> + </funcprototype> + <funcprototype> + <funcdef>void <function>pam_vsyslog</function></funcdef> + <paramdef>const pam_handle_t *<parameter>pamh</parameter></paramdef> + <paramdef>int <parameter>priority</parameter></paramdef> + <paramdef>const char *<parameter>fmt</parameter></paramdef> + <paramdef>va_list <parameter>args</parameter></paramdef> + </funcprototype> + </funcsynopsis> + </refsynopsisdiv> + + <refsect1 id='pam_syslog-description'> + <title>DESCRIPTION</title> + <para> + The <function>pam_syslog</function> function logs messages using + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> and is intended for internal use by Linux-PAM and + PAM service modules. The <emphasis>priority</emphasis> argument is + formed by ORing the facility and the level values as documented + in the <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> manual page. + </para> + <para> + The <function>pam_vsyslog</function> function performs the same + task as <function>pam_syslog()</function> with the difference + that it takes a set of arguments which have been obtained using + the <citerefentry> + <refentrytitle>stdarg</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> variable argument list macros. + </para> + </refsect1> + + <refsect1 id='pam_syslog-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_syslog-standards'> + <title>STANDARDS</title> + <para> + The <function>pam_syslog</function> and <function>pam_vsyslog</function> + functions are Linux-PAM extensions. + </para> + </refsect1> + +</refentry> diff --git a/doc/man/pam_verror.3 b/doc/man/pam_verror.3 new file mode 100644 index 0000000..6e052ef --- /dev/null +++ b/doc/man/pam_verror.3 @@ -0,0 +1 @@ +.so man3/pam_error.3 diff --git a/doc/man/pam_vinfo.3 b/doc/man/pam_vinfo.3 new file mode 100644 index 0000000..79f3a15 --- /dev/null +++ b/doc/man/pam_vinfo.3 @@ -0,0 +1 @@ +.so man3/pam_info.3 diff --git a/doc/man/pam_vprompt.3 b/doc/man/pam_vprompt.3 new file mode 100644 index 0000000..bba0b1d --- /dev/null +++ b/doc/man/pam_vprompt.3 @@ -0,0 +1 @@ +.so man3/pam_prompt.3 diff --git a/doc/man/pam_vsyslog.3 b/doc/man/pam_vsyslog.3 new file mode 100644 index 0000000..b987b06 --- /dev/null +++ b/doc/man/pam_vsyslog.3 @@ -0,0 +1 @@ +.so man3/pam_syslog.3 diff --git a/doc/man/pam_xauth_data.3 b/doc/man/pam_xauth_data.3 new file mode 100644 index 0000000..6bd4093 --- /dev/null +++ b/doc/man/pam_xauth_data.3 @@ -0,0 +1,84 @@ +'\" t +.\" Title: pam_xauth_data +.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_XAUTH_DATA" "3" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_xauth_data \- structure containing X authentication data +.SH "SYNOPSIS" +.sp +.ft B +.nf +#include <security/pam_appl\&.h> +.fi +.ft +.sp +.nf +struct pam_xauth_data { + int namelen; + char *name; + int datalen; + char *data; +}; + +.fi +.SH "DESCRIPTION" +.PP +The +\fBpam_xauth_data\fR +structure contains X authentication data used to make a connection to an X display\&. Using this mechanism, an application can communicate X authentication data to PAM service modules\&. This allows modules to make a connection to the user\*(Aqs X display in order to label the user\*(Aqs session on login, display visual feedback or for other purposes\&. +.PP +The +\fIname\fR +field contains the name of the authentication method, such as "MIT\-MAGIC\-COOKIE\-1"\&. The +\fInamelen\fR +field contains the length of this string, not including the trailing NUL character\&. +.PP +The +\fIdata\fR +field contains the authentication method\-specific data corresponding to the specified name\&. The +\fIdatalen\fR +field contains its length in bytes\&. +.PP +The X authentication data can be changed with the +\fIPAM_XAUTH_DATA\fR +item\&. It can be queried and set with +\fBpam_get_item\fR(3) +and +\fBpam_set_item \fR(3) +respectively\&. The value used to set it should be a pointer to a pam_xauth_data structure\&. An internal copy of both the structure itself and its fields is made by PAM when setting the item\&. +.SH "SEE ALSO" +.PP +\fBpam_start\fR(3), +\fBpam_get_item\fR(3), +.SH "STANDARDS" +.PP +The +\fBpam_xauth_data\fR +structure and +\fIPAM_XAUTH_DATA\fR +item are Linux\-PAM extensions\&. |