NAME
pam_get_authtok, pam_get_authtok_verify, pam_get_authtok_noverify - get authentication tokenSYNOPSIS
#include <security/pam_ext.h>
int
pam_get_authtok(pam_handle_t *pamh,
int item,
const char **authtok,
const char *prompt);
int
pam_get_authtok_noverify(pam_handle_t *pamh,
const char **authtok,
const char *prompt);
int
pam_get_authtok_verify(pam_handle_t *pamh,
const char **authtok,
const char *prompt);
DESCRIPTION
The pam_get_authtok function returns the cached authentication token, or prompts the user if no token is currently cached. It is intended for internal use by Linux-PAM and PAM service modules. Upon successful return, authtok contains a pointer to the value of the authentication token. Note, this is a pointer to the actual data and should not be free()'ed or over-written! The prompt argument specifies a prompt to use if no token is cached. If a NULL pointer is given, pam_get_authtok uses pre-defined prompts. The following values are supported for item: PAM_AUTHTOKReturns the current authentication token.
Called from pam_sm_chauthtok(3) pam_get_authtok will ask the
user to confirm the new token by retyping it. If a prompt was specified,
"Retype" will be used as prefix.
PAM_OLDAUTHTOK
Returns the previous authentication token when
changing authentication tokens.
The pam_get_authtok_noverify function can only be used for changing the
password (from pam_sm_chauthtok(3)). It returns the cached
authentication token, or prompts the user if no token is currently cached. The
difference to pam_get_authtok is, that this function does not ask a
second time for the password to verify it. Upon successful return,
authtok contains a pointer to the value of the authentication token.
Note, this is a pointer to the actual data and should not be
free()'ed or over-written!
The pam_get_authtok_verify function can only be used to verify a password
for mistypes gotten by . This function asks
a second time for the password and verify it with the password provided by
authtok argument. In case of an error, the value of authtok is
undefined. Else this argument will point to the actual data and should
not be free()'ed or over-written!
OPTIONS
pam_get_authtok honours the following module options: try_first_passBefore prompting the user for their password,
the module first tries the previous stacked module's password in case that
satisfies this module as well.
use_first_pass
The argument use_first_pass forces the
module to use a previous stacked modules password and will never prompt the
user - if no password is available or the password is not appropriate, the
user will be denied access.
use_authtok
When password changing enforce the module to
set the new token to the one provided by a previously stacked password
module. If no token is available token changing will fail.
authtok_type=XXX
The default action is for the module to use
the following prompts when requesting passwords: "New UNIX password:
" and "Retype UNIX password: ". The example word UNIX
can be replaced with this option, by default it is empty.
RETURN VALUES
PAM_AUTH_ERRAuthentication token could not be
retrieved.
PAM_AUTHTOK_ERR
New authentication could not be
retrieved.
PAM_SUCCESS
Authentication token was successfully
retrieved.
PAM_SYSTEM_ERR
No space for an authentication token was
provided.
PAM_TRY_AGAIN
New authentication tokens mismatch.
SEE ALSO
pam(7)STANDARDS
The pam_get_authtok function is a Linux-PAM extensions.09/03/2021 | Linux-PAM Manual |