doc/man/pam_item_types.inc.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

<!-- this file is included by pam_set_item and pam_get_item -->

    <variablelist>
      <varlistentry>
        <term>PAM_SERVICE</term>
        <listitem>
          <para>
            The service name (which identifies that PAM stack that
            the PAM functions will use to authenticate the program).
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>PAM_USER</term>
        <listitem>
          <para>
            The username of the entity under whose identity service
            will be given. That is, following authentication,
            <emphasis>PAM_USER</emphasis> identifies the local entity
            that gets to use the service. Note, this value can be mapped
            from something (eg., "anonymous") to something else (eg.
            "guest119") by any module in the PAM stack. As such an
            application should consult the value of
            <emphasis>PAM_USER</emphasis> after each call to a PAM function.
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>PAM_USER_PROMPT</term>
        <listitem>
          <para>
            The string used when prompting for a user's name. The default
            value for this string is a localized version of "login: ".
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>PAM_TTY</term>
        <listitem>
          <para>
            The terminal name: prefixed by <filename>/dev/</filename> if
            it is a device file; for graphical, X-based, applications the
            value for this item should be the
            <emphasis>$DISPLAY</emphasis> variable.
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>PAM_RUSER</term>
        <listitem>
          <para>
            The requesting user name: local name for a locally
            requesting user or a remote user name for a remote
            requesting user.
          </para>
          <para>
            Generally an application or module will attempt to supply
            the value that is most strongly authenticated (a local account
            before a remote one. The level of trust in this value is
            embodied in the actual authentication stack associated with
            the application, so it is ultimately at the discretion of the
            system administrator.
          </para>
          <para>
            <emphasis>PAM_RUSER@PAM_RHOST</emphasis> should always identify
             the requesting user. In some cases,
             <emphasis>PAM_RUSER</emphasis> may be NULL. In such situations,
             it is unclear who the requesting entity is.
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>PAM_RHOST</term>
        <listitem>
          <para>
            The requesting hostname (the hostname of the machine from
            which the <emphasis>PAM_RUSER</emphasis> entity is requesting
            service). That is <emphasis>PAM_RUSER@PAM_RHOST</emphasis>
            does identify the requesting user. In some applications,
            <emphasis>PAM_RHOST</emphasis> may be NULL. In such situations,
            it is unclear where the authentication request is originating
            from.
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>PAM_AUTHTOK</term>
        <listitem>
          <para>
            The authentication token (often a password). This token
            should be ignored by all module functions besides
            <citerefentry>
              <refentrytitle>pam_sm_authenticate</refentrytitle><manvolnum>3</manvolnum>
            </citerefentry> and
            <citerefentry>
              <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum>
            </citerefentry>.
            In the former function it is used to pass the most recent
            authentication token from one stacked module to another. In
            the latter function the token is used for another purpose.
            It contains the currently active authentication token.
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>PAM_OLDAUTHTOK</term>
        <listitem>
          <para>
            The old authentication token. This token should be ignored
            by all module functions except
            <citerefentry>
              <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum>
            </citerefentry>.
          </para>
        </listitem>
      </varlistentry>


      <varlistentry>
        <term>PAM_CONV</term>
        <listitem>
          <para>
            The pam_conv structure. See
            <citerefentry>
              <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum>
            </citerefentry>.
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>PAM_FAIL_DELAY</term>
        <listitem>
          <para>
            A function pointer to redirect centrally managed
            failure delays. See
            <citerefentry>
              <refentrytitle>pam_fail_delay</refentrytitle><manvolnum>3</manvolnum>
            </citerefentry>.
          </para>
        </listitem>
      </varlistentry>

    </variablelist>