Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

pam_get_authtok(3) [freebsd man page]

PAM_GET_AUTHTOK(3)					   BSD Library Functions Manual 					PAM_GET_AUTHTOK(3)

NAME
pam_get_authtok -- retrieve authentication token LIBRARY
Pluggable Authentication Module Library (libpam, -lpam) SYNOPSIS
#include <sys/types.h> #include <security/pam_appl.h> int pam_get_authtok(pam_handle_t *pamh, int item, const char **authtok, const char *prompt); DESCRIPTION
The pam_get_authtok() function either prompts the user for an authentication token or retrieves a cached authentication token, depending on circumstances. Either way, a pointer to the authentication token is stored in the location pointed to by the authtok argument, and the cor- responding PAM item is updated. The item argument must have one of the following values: PAM_AUTHTOK Returns the current authentication token, or the new token when changing authentication tokens. PAM_OLDAUTHTOK Returns the previous authentication token when changing authentication tokens. The prompt argument specifies a prompt to use if no token is cached. If it is NULL, the PAM_AUTHTOK_PROMPT or PAM_OLDAUTHTOK_PROMPT item, as appropriate, will be used. If that item is also NULL, a hardcoded default prompt will be used. Additionally, when pam_get_authtok() is called from a service module, the prompt may be affected by module options as described below. The prompt is then expanded using openpam_subst(3) before it is passed to the conversation function. If item is set to PAM_AUTHTOK and there is a non-null PAM_OLDAUTHTOK item, pam_get_authtok() will ask the user to confirm the new token by retyping it. If there is a mismatch, pam_get_authtok() will return PAM_TRY_AGAIN. MODULE OPTIONS
When called by a service module, pam_get_authtok() will recognize the following module options: authtok_prompt Prompt to use when item is set to PAM_AUTHTOK. This option overrides both the prompt argument and the PAM_AUTHTOK_PROMPT item. echo_pass If the application's conversation function allows it, this lets the user see what they are typing. This should only be used for non-reusable authentication tokens. oldauthtok_prompt Prompt to use when item is set to PAM_OLDAUTHTOK. This option overrides both the prompt argument and the PAM_OLDAUTHTOK_PROMPT item. try_first_pass If the requested item is non-null, return it without prompting the user. Typically, the service module will verify the token, and if it does not match, clear the item before calling pam_get_authtok() a second time. use_first_pass Do not prompt the user at all; just return the cached value, or PAM_AUTH_ERR if there is none. RETURN VALUES
The pam_get_authtok() function returns one of the following values: [PAM_BUF_ERR] Memory buffer error. [PAM_CONV_ERR] Conversation failure. [PAM_SYSTEM_ERR] System error. [PAM_TRY_AGAIN] Try again. SEE ALSO
openpam_get_option(3), openpam_subst(3), pam(3), pam_conv(3), pam_get_item(3), pam_get_user(3), pam_strerror(3) STANDARDS
The pam_get_authtok() function is an OpenPAM extension. AUTHORS
The pam_get_authtok() function and this manual page were developed for the FreeBSD Project by ThinkSec AS and Network Associates Laborato- ries, the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research program. The OpenPAM library is maintained by Dag-Erling Smorgrav <des@des.no>. BSD
September 12, 2014 BSD

Check Out this Related Man Page

PAM_GET_AUTHTOK(3)						 Linux-PAM Manual						PAM_GET_AUTHTOK(3)

NAME
pam_get_authtok, pam_get_authtok_verify, pam_get_authtok_noverify - get authentication token SYNOPSIS
#include <security/pam_ext.h> int pam_get_authtok(pam_handle_t *pamh, int item, const char **authtok, const char *prompt); int pam_get_authtok_noverify(pam_handle_t *pamh, const char **authtok, const char *prompt); int pam_get_authtok_verify(pam_handle_t *pamh, const char **authtok, const char *prompt); DESCRIPTION
The pam_get_authtok function returns the cached authentication token, or prompts the user if no token is currently cached. It is intended for internal use by Linux-PAM and PAM service modules. Upon successful return, authtok contains a pointer to the value of the authentication token. Note, this is a pointer to the actual data and should not be free()'ed or over-written! The prompt argument specifies a prompt to use if no token is cached. If a NULL pointer is given, pam_get_authtok uses pre-defined prompts. The following values are supported for item: PAM_AUTHTOK Returns the current authentication token. Called from pam_sm_chauthtok(3) pam_get_authtok will ask the user to confirm the new token by retyping it. If a prompt was specified, "Retype" will be used as prefix. PAM_OLDAUTHTOK Returns the previous authentication token when changing authentication tokens. The pam_get_authtok_noverify function can only be used for changing the password (from pam_sm_chauthtok(3)). It returns the cached authentication token, or prompts the user if no token is currently cached. The difference to pam_get_authtok is, that this function does not ask a second time for the password to verify it. Upon successful return, authtok contains a pointer to the value of the authentication token. Note, this is a pointer to the actual data and should not be free()'ed or over-written! The pam_get_authtok_verify function can only be used to verify a password for mistypes gotten by pam_get_authtok_noverify(3). This function asks a second time for the password and verify it with the password provided by authtok argument. In case of an error, the value of authtok is undefined. Else this argument will point to the actual data and should not be free()'ed or over-written! OPTIONS
pam_get_authtok honours the following module options: try_first_pass Before prompting the user for their password, the module first tries the previous stacked module's password in case that satisfies this module as well. use_first_pass The argument use_first_pass forces the module to use a previous stacked modules password and will never prompt the user - if no password is available or the password is not appropriate, the user will be denied access. use_authtok When password changing enforce the module to set the new token to the one provided by a previously stacked password module. If no token is available token changing will fail. authtok_type=XXX The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The example word UNIX can be replaced with this option, by default it is empty. RETURN VALUES
PAM_AUTH_ERR Authentication token could not be retrieved. PAM_AUTHTOK_ERR New authentication could not be retrieved. PAM_SUCCESS Authentication token was successfully retrieved. PAM_SYSTEM_ERR No space for an authentication token was provided. PAM_TRY_AGAIN New authentication tokens mismatch. SEE ALSO
pam(8) STANDARDS
The pam_get_authtok function is a Linux-PAM extensions. Linux-PAM Manual 06/04/2011 PAM_GET_AUTHTOK(3)
Man Page