pam_sm_chauthtok man page on SmartOS

Printed from http://www.polarhome.com/service/man/?qf=pam_sm_chauthtok&af=0&tf=2&of=SmartOS

PAM_SM_CHAUTHTOK(3PAM)					PAM_SM_CHAUTHTOK(3PAM)

NAME
       pam_sm_chauthtok - service provider implementation for pam_chauthtok

SYNOPSIS
       cc [ flag ...] file ... -lpam [ library ... ]
       #include <security/pam_appl.h>
       #include <security/pam_modules.h>

       int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc,
	    const char **argv);

DESCRIPTION
       In  response  to	 a  call  to  pam_chauthtok()  the PAM framework calls
       pam_sm_chauthtok(3PAM) from the modules listed in the pam.conf(4) file.
       The  password  management  provider supplies the back-end functionality
       for this interface function.

       The pam_sm_chauthtok() function changes the authentication token	 asso‐
       ciated  with  a particular user referenced by the authentication handle
       pamh.

       The following flag may be passed to pam_chauthtok():

       PAM_SILENT
				     The password service should not  generate
				     any messages.

       PAM_CHANGE_EXPIRED_AUTHTOK
				     The  password  service should only update
				     those passwords that have aged.  If  this
				     flag  is not passed, the password service
				     should update all passwords.

       PAM_PRELIM_CHECK
				     The password service should only  perform
				     preliminary  checks.  No passwords should
				     be updated.

       PAM_NO_AUTHTOK_CHECK
				     The password service should  not  perform
				     conformance  checks  on  the structure of
				     the password. Conformance checks  do  not
				     apply to verification that the same pass‐
				     word was entered during both passes.

       PAM_UPDATE_AUTHTOK
				     The password service should update	 pass‐
				     words.

       Note  that PAM_PRELIM_CHECK and PAM_UPDATE_AUTHTOK cannot be set at the
       same time.

       Upon successful completion of the call, the authentication token of the
       user  will  be  ready for change or will be changed, depending upon the
       flag, in accordance with the authentication  scheme  configured	within
       the system.

       The  argc  argument  represents	the number of module options passed in
       from the configuration file pam.conf(4). The  argv  argument  specifies
       the module options, which are interpreted and processed by the password
       management service. Please refer to the specific module man  pages  for
       the various available options.

       It  is the responsibility of pam_sm_chauthtok() to determine if the new
       password meets certain strength	requirements.  pam_sm_chauthtok()  may
       continue	 to  re-prompt	the user (for a limited number of times) for a
       new password until the password entered	meets  the  strength  require‐
       ments.

       Before  returning,  pam_sm_chauthtok()  should call  pam_get_item() and
       retrieve	 both  PAM_AUTHTOK  and	 PAM_OLDAUTHTOK.  If  both  are	 NULL,
       pam_sm_chauthtok()  should  set	them  to  the new and old passwords as
       entered by the user.

RETURN VALUES
       Upon successful completion, PAM_SUCCESS must be returned. The following
       values may also be returned:

       PAM_PERM_DENIED
				    No permission.

       PAM_AUTHTOK_ERR
				    Authentication token manipulation error.

       PAM_AUTHTOK_RECOVERY_ERR
				    Old	 authentication token cannot be recov‐
				    ered.

       PAM_AUTHTOK_LOCK_BUSY
				    Authentication token lock busy.

       PAM_AUTHTOK_DISABLE_AGING
				    Authentication token aging disabled.

       PAM_USER_UNKNOWN
				    User unknown to password service.

       PAM_TRY_AGAIN
				    Preliminary	 check	by  password   service
				    failed.

ATTRIBUTES
       See attributes(5) for description of the following attributes:

       ┌────────────────────┬─────────────────────────┐
       │  ATTRIBUTE TYPE    │	  ATTRIBUTE VALUE     │
       ├────────────────────┼─────────────────────────┤
       │Interface Stability │  Stable		      │
       ├────────────────────┼─────────────────────────┤
       │MT-Level	    │ MT-Safe with exceptions │
       └────────────────────┴─────────────────────────┘

SEE ALSO
       ping(1M),     pam(3PAM),	   pam_chauthtok(3PAM),	   pam_get_data(3PAM),
       pam_get_item(3PAM),  pam_set_data(3PAM),	  libpam(3LIB),	  pam.conf(4),
       attributes(5)

NOTES
       The  PAM	 framework invokes the password services twice. The first time
       the modules are invoked with the flag,  PAM_PRELIM_CHECK.  During  this
       stage, the password modules should only perform preliminary checks. For
       example, they may ping remote name services to see if  they  are	 ready
       for  updates.  If a password module detects a transient error such as a
       remote name service temporarily down, it should return PAM_TRY_AGAIN to
       the  PAM framework, which will immediately return the error back to the
       application. If all password modules pass the  preliminary  check,  the
       PAM  framework  invokes	the  password  services	 again	with the flag,
       PAM_UPDATE_AUTHTOK.  During this stage,	each  password	module	should
       proceed	to  update  the	 appropriate password. Any error will again be
       reported back to application.

       If a service module receives the	 flag  PAM_CHANGE_EXPIRED_AUTHTOK,  it
       should  check whether the password has aged or expired. If the password
       has aged or expired, then the service module should proceed  to	update
       the  password.  If  the	status indicates that the password has not yet
       aged or expired, then the password module should return PAM_IGNORE.

       If a user's password has aged or expired, a PAM	account	 module	 could
       save  this  information	as  state  in the authentication handle, pamh,
       using pam_set_data(). The  related  password  management	 module	 could
       retrieve	 this information using pam_get_data() to determine whether or
       not it should prompt the user to update the password for this  particu‐
       lar module.

       The  interfaces	in  libpam  are MT-Safe only if each thread within the
       multithreaded application uses its own PAM handle.

       If the PAM_REPOSITORY item_type is set and a service  module  does  not
       recognize  the  type,  the service module does not process any informa‐
       tion, and returns PAM_IGNORE. If the PAM_REPOSITORY  item_type  is  not
       set, a service module performs its default action.

				  Mar 1, 2005		PAM_SM_CHAUTHTOK(3PAM)
[top]

List of man pages available for SmartOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net