source: openpam/trunk/doc/man/pam.man @ 286

Last change on this file since 286 was 286, checked in by des, 9 years ago

Add a couple of missing words.

File size: 3.2 KB
Line 
1.\"
2.\" $P4: //depot/projects/openpam/doc/man/pam.man#3 $
3.\"
4.Sh DESCRIPTION
5The Pluggable Authentication Modules (PAM) library abstracts a number
6of common authentication-related operations and provides a framework
7for dynamically loaded modules that implement these operations in
8various ways.
9.Ss Terminology
10In PAM parlance, the application that uses PAM to authenticate a user
11is the server, and is identified for configuration purposes by a
12service name, which is often (but not necessarily) the program name.
13.Pp
14The user requesting authentication is called the applicant, while the
15user (usually, root) charged with verifying his identity and granting
16him the requested credentials is called the arbitrator.
17.Pp
18The sequence of operations the server goes through to authenticate a
19user and perform whatever task he requested is a PAM transaction; the
20context within which the server performs the requested task is called
21a session.
22.Pp
23The functionality embodied by PAM is divided into six primitives
24grouped into four facilities: authentication, account management,
25session management and password management.
26.Ss Conversation
27The PAM library expects the application to provide a conversation
28callback which it can use to communicate with the user.
29Some modules may use specialized conversation functions to communicate
30with special hardware such as cryptographic dongles or biometric
31devices.
32See
33.Xr pam_conv 3
34for details.
35.Ss Initialization and Cleanup
36The
37.Fn pam_start
38function initializes the PAM library and returns a handle which must
39be provided in all subsequent function calls.
40The transaction state is contained entirely within the structure
41identified by this handle, so it is possible to conduct multiple
42transactions in parallel.
43.Pp
44The
45.Fn pam_end
46function releases all resources associated with the specified context,
47and can be called at any time to terminate a PAM transaction.
48.Ss Storage
49The
50.Fn pam_set_item
51and
52.Fn pam_get_item
53functions set and retrieve a number of predefined items, including the
54service name, the names of the requesting and target users, the
55conversation function, and prompts.
56.Pp
57The
58.Fn pam_set_data
59and
60.Fn pam_get_data
61functions manage named chunks of free-form data, generally used by
62modules to store state from one invocation to another.
63.Ss Authentication
64There are two authentication primitives:
65.Fn pam_authenticate
66and
67.Fn pam_setcred .
68The former authenticates the user, while the latter manages his
69credentials.
70.Ss Account Management
71The
72.Fn pam_acct_mgmt
73function enforces policies such as password expiry, account expiry,
74time-of-day restrictions, and so forth.
75.Ss Session Management
76The
77.Fn pam_open_session
78and
79.Fn pam_close_session
80functions handle session setup and teardown.
81.Ss Password Management
82The
83.Fn pam_chauthtok
84function allows the server to change the user's password, either at
85the user's request or because the password has expired.
86.Ss Miscellaneous
87The
88.Fn pam_putenv ,
89.Fn pam_getenv
90and
91.Fn pam_getenvlist
92functions
93manage a private environment list in which modules can set environment
94variables they want the server to export during the session.
95.Pp
96The
97.Fn pam_strerror
98function returns a pointer to a string describing the specified PAM
99error code.
Note: See TracBrowser for help on using the repository browser.