pam_unix_cred(5) Standards, Environments, and Macros pam_unix_cred(5)
NAME
pam_unix_cred - PAM user credential authentication module for UNIX
SYNOPSIS
pam_unix_cred.so.1
DESCRIPTION
The pam_unix_cred module implements pam_sm_setcred(3PAM). It provides functions that establish user credential information. It is a module
separate from the pam_unix_auth(5) module to allow replacement of the authentication functionality independently from the credential func-
tionality.
The pam_unix_cred module must always be stacked along with whatever authentication module is used to ensure correct credential setting.
Authentication service modules must implement both pam_sm_authenticate() and pam_sm_setcred().
pam_sm_authenticate() in this module always returns PAM_IGNORE.
pam_sm_setcred() initializes the user's project, privilege sets and initializes or updates the user's audit context if it hasn't already
been initialized. The following flags may be set in the flags field:
PAM_ESTABLISH_CRED Initializes the user's project to the project specified in PAM_RESOURCE, or if PAM_RESOURCE is not specified, to
PAM_REFRESH_CRED the user's default project. Establishes the user's privilege sets.
PAM_REINITIALIZE_CRED
If the audit context is not already initialized and auditing is configured, these flags cause the context to be
initialized to that of the user specified in PAM_USER and host specified in PAM_RHOST. If PAM_RHOST is not speci-
fied, the local host is used. Additionally, if the audit context is already initialized, the PAM_REINITIALIZE_CRED
flag merges the current audit context with that of the user specified in PAM_USER. PAM_REINITIALIZE_CRED is useful
when a user is assuming a new identity, as with su(1M).
PAM_DELETE_CRED This flag has no effect and always returns PAM_SUCCESS.
The following options are interpreted:
debug Provides syslog(3C) debugging information at the LOG_DEBUG level.
nowarn Disables any warning messages.
ERRORS
Upon successful completion of pam_sm_setcred(), PAM_SUCCESS is returned. The following error codes are returned upon error:
PAM_CRED_UNAVAIL Underlying authentication service cannot retrieve user credentials
PAM_CRED_EXPIRED User credentials have expired
PAM_USER_UNKNOWN User is unknown to the authentication service
PAM_CRED_ERR Failure in setting user credentials
PAM_BUF_ERR Memory buffer error
PAM_SYSTEM_ERR System error
The following values are returned from pam_sm_authenticate():
PAM_IGNORE Ignores this module regardless of the control flag
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Interface Stability |Evolving |
+-----------------------------+-----------------------------+
|MT Level |MT-Safe with exceptions |
+-----------------------------+-----------------------------+
SEE ALSO
su(1M), settaskid(2), libpam(3LIB), getprojent(3PROJECT), pam(3PAM), pam_set_item(3PAM), pam_sm_authenticate(3PAM), syslog(3C), setpro-
ject(3PROJECT),pam.conf(4), nsswitch.conf(4), project(4), attributes(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5),
pam_dhkeys(5), pam_passwd_auth(5), pam_unix_auth(5), pam_unix_account(5), pam_unix_session(5), privileges(5)
NOTES
The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.
If this module is replaced, the audit context and credential may not be correctly configured.
SunOS 5.10 29 Jul 2004 pam_unix_cred(5)