PAM_SM_CHAUTHTOK(3PAM)PAM_SM_CHAUTHTOK(3PAM)NAMEpam_sm_chauthtok - service provider implementation for pam_chauthtok
cc [ flag ...] file ... -lpam [ library ... ]
int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc,
const char **argv);
In response to a call to pam_chauthtok() the PAM framework calls
pam_sm_chauthtok(3PAM) from the modules listed in the pam.conf(4) file.
The password management provider supplies the back-end functionality
for this interface function.
The pam_sm_chauthtok() function changes the authentication token asso‐
ciated with a particular user referenced by the authentication handle
The following flag may be passed to pam_chauthtok():
The password service should not generate
The password service should only update
those passwords that have aged. If this
flag is not passed, the password service
should update all passwords.
The password service should only perform
preliminary checks. No passwords should
The password service should not perform
conformance checks on the structure of
the password. Conformance checks do not
apply to verification that the same pass‐
word was entered during both passes.
The password service should update pass‐
Note that PAM_PRELIM_CHECK and PAM_UPDATE_AUTHTOK cannot be set at the
Upon successful completion of the call, the authentication token of the
user will be ready for change or will be changed, depending upon the
flag, in accordance with the authentication scheme configured within
The argc argument represents the number of module options passed in
from the configuration file pam.conf(4). The argv argument specifies
the module options, which are interpreted and processed by the password
management service. Please refer to the specific module man pages for
the various available options.
It is the responsibility of pam_sm_chauthtok() to determine if the new
password meets certain strength requirements. pam_sm_chauthtok() may
continue to re-prompt the user (for a limited number of times) for a
new password until the password entered meets the strength require‐
Before returning, pam_sm_chauthtok() should call pam_get_item() and
retrieve both PAM_AUTHTOK and PAM_OLDAUTHTOK. If both are NULL,
pam_sm_chauthtok() should set them to the new and old passwords as
entered by the user.
Upon successful completion, PAM_SUCCESS must be returned. The following
values may also be returned:
Authentication token manipulation error.
Old authentication token cannot be recov‐
Authentication token lock busy.
Authentication token aging disabled.
User unknown to password service.
Preliminary check by password service
See attributes(5) for description of the following attributes:
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
│Interface Stability │ Stable │
│MT-Level │ MT-Safe with exceptions │
SEE ALSOping(1M), pam(3PAM), pam_chauthtok(3PAM), pam_get_data(3PAM),
pam_get_item(3PAM), pam_set_data(3PAM), libpam(3LIB), pam.conf(4),
The PAM framework invokes the password services twice. The first time
the modules are invoked with the flag, PAM_PRELIM_CHECK. During this
stage, the password modules should only perform preliminary checks. For
example, they may ping remote name services to see if they are ready
for updates. If a password module detects a transient error such as a
remote name service temporarily down, it should return PAM_TRY_AGAIN to
the PAM framework, which will immediately return the error back to the
application. If all password modules pass the preliminary check, the
PAM framework invokes the password services again with the flag,
PAM_UPDATE_AUTHTOK. During this stage, each password module should
proceed to update the appropriate password. Any error will again be
reported back to application.
If a service module receives the flag PAM_CHANGE_EXPIRED_AUTHTOK, it
should check whether the password has aged or expired. If the password
has aged or expired, then the service module should proceed to update
the password. If the status indicates that the password has not yet
aged or expired, then the password module should return PAM_IGNORE.
If a user's password has aged or expired, a PAM account module could
save this information as state in the authentication handle, pamh,
using pam_set_data(). The related password management module could
retrieve this information using pam_get_data() to determine whether or
not it should prompt the user to update the password for this particu‐
The interfaces in libpam are MT-Safe only if each thread within the
multithreaded application uses its own PAM handle.
If the PAM_REPOSITORY item_type is set and a service module does not
recognize the type, the service module does not process any informa‐
tion, and returns PAM_IGNORE. If the PAM_REPOSITORY item_type is not
set, a service module performs its default action.
Mar 1, 2005 PAM_SM_CHAUTHTOK(3PAM)