Changeset 670 in openpam for trunk/lib/libpam


Ignore:
Timestamp:
Mar 17, 2013, 7:26:07 PM (8 years ago)
Author:
Dag-Erling Smørgrav
Message:

Document the effect of module options (echo_pass, *_prompt etc)

Location:
trunk/lib/libpam
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/lib/libpam/pam_get_authtok.c

    r648 r670  
    169169
    170170/**
    171  * The =pam_get_authtok function returns the cached authentication token,
    172  * or prompts the user if no token is currently cached.
     171 * The =pam_get_authtok function either prompts the user for an
     172 * authentication token or retrieves a cached authentication token,
     173 * depending on circumstances.
    173174 * Either way, a pointer to the authentication token is stored in the
    174  * location pointed to by the =authtok argument.
     175 * location pointed to by the =authtok argument, and the corresponding PAM
     176 * item is updated.
    175177 *
    176178 * The =item argument must have one of the following values:
     
    187189 * as appropriate, will be used.
    188190 * If that item is also =NULL, a hardcoded default prompt will be used.
    189  * Either way, the prompt is expanded using =openpam_subst before it is
    190  * passed to the conversation function.
    191  *
    192  * If =pam_get_authtok is called from a module and the ;authtok_prompt /
    193  * ;oldauthtok_prompt option is set in the policy file, the value of that
    194  * option takes precedence over both the =prompt argument and the
    195  * =PAM_AUTHTOK_PROMPT / =PAM_OLDAUTHTOK_PROMPT item.
     191 * Additionally, when =pam_get_authtok is called from a service module,
     192 * the prompt may be affected by module options as described below.
     193 * The prompt is then expanded using =openpam_subst before it is passed to
     194 * the conversation function.
    196195 *
    197196 * If =item is set to =PAM_AUTHTOK and there is a non-null =PAM_OLDAUTHTOK
     
    200199 * If there is a mismatch, =pam_get_authtok will return =PAM_TRY_AGAIN.
    201200 *
     201 * MODULE OPTIONS
     202 *
     203 * When called by a service module, =pam_get_authtok will recognize the
     204 * following module options:
     205 *
     206 *      ;authtok_prompt:
     207 *              Prompt to use when =item is set to =PAM_AUTHTOK.
     208 *              This option overrides both the =prompt argument and the
     209 *              =PAM_AUTHTOK_PROMPT item.
     210 *      ;echo_pass:
     211 *              If the application's conversation function allows it, this
     212 *              lets the user see what they are typing.
     213 *              This should only be used for non-reusable authentication
     214 *              tokens.
     215 *      ;oldauthtok_prompt:
     216 *              Prompt to use when =item is set to =PAM_OLDAUTHTOK.
     217 *              This option overrides both the =prompt argument and the
     218 *              =PAM_OLDAUTHTOK_PROMPT item.
     219 *      ;try_first_pass:
     220 *              If the requested item is non-null, return it without
     221 *              prompting the user.
     222 *              Typically, the service module will verify the token, and
     223 *              if it does not match, clear the item before calling
     224 *              =pam_get_authtok a second time.
     225 *      ;use_first_pass:
     226 *              Do not prompt the user at all; just return the cached
     227 *              value, or =PAM_AUTH_ERR if there is none.
     228 *
     229 * >pam_conv
    202230 * >pam_get_item
    203231 * >pam_get_user
     232 * >openpam_get_option
    204233 * >openpam_subst
    205234 */

  • trunk/lib/libpam/pam_get_user.c

    r648 r670  
    117117 * will prompt for a user name.
    118118 * Either way, a pointer to the user name is stored in the location
    119  * pointed to by the =user argument.
     119 * pointed to by the =user argument, and the corresponding PAM item is
     120 * updated.
    120121 *
    121122 * The =prompt argument specifies a prompt to use if no user name is
     
    123124 * If it is =NULL, the =PAM_USER_PROMPT item will be used.
    124125 * If that item is also =NULL, a hardcoded default prompt will be used.
    125  * Either way, the prompt is expanded using =openpam_subst before it is
    126  * passed to the conversation function.
     126 * Additionally, when =pam_get_user is called from a service module, the
     127 * prompt may be affected by module options as described below.
     128 * The prompt is then expanded using =openpam_subst before it is passed to
     129 * the conversation function.
    127130 *
    128  * If =pam_get_user is called from a module and the ;user_prompt option is
    129  * set in the policy file, the value of that option takes precedence over
    130  * both the =prompt argument and the =PAM_USER_PROMPT item.
     131 * MODULE OPTIONS
    131132 *
     133 * When called by a service module, =pam_get_user will recognize the
     134 * following module options:
     135 *
     136 *      ;user_prompt:
     137 *              Prompt to use when asking for the user name.
     138 *              This option overrides both the =prompt argument and the
     139 *              =PAM_USER_PROMPT item.
     140 *
     141 * >pam_conv
    132142 * >pam_get_item
    133143 * >pam_get_authtok
     144 * >openpam_get_option
    134145 * >openpam_subst
    135146 */
Note: See TracChangeset for help on using the changeset viewer.