Standards, Environments, and Macros pam_unix_cred(5)
NAME
pam_unix_cred - PAM user credential authentication module
for UNIXSYNOPSIS
pam_unix_cred.so.1
DESCRIPTION
The pam_unix_cred module implements pam_sm_setcred(3PAM). It
provides functions that establish user credential informa-
tion. It is a module separate from the pam_unix_auth(5)
module to allow replacement of the authentication func-
tionality independently from the credential functionality.The pam_unix_cred module must always be stacked along with
whatever authentication module is used to ensure correct credential setting. Authentication service modules must implement bothpam_sm_authenticate() and pam_sm_setcred().
pam_sm_authenticate() in this module always returns
PAM_IGNORE.
pam_sm_setcred() initializes the user's project, privilege
sets and initializes or updates the user's audit context if it hasn't already been initialized. The following flags may be set in the flags field:PAM_ESTABLISH_CRED
PAM_REFRESH_CRED
PAM_REINITIALIZE_CRED
Initializes the user's project to the project specifiedin PAM_RESOURCE, or if PAM_RESOURCE is not specified, to
the user's default project. Establishes the user's privilege sets. If the audit context is not already initialized and auditing is configured, these flags cause the context to be initialized to that of the user specified inPAM_AUSER (if any) merged with the user specified in
PAM_USER and host specified in PAM_RHOST. If PAM_RHOST
is not specified, PAM_TTY specifies the local terminal
name. Attributing audit to PAM_AUSER and merging
PAM_USER is required for correctly attributing auditing
when the system entry is performed by another user thatSunOS 5.11 Last change: 9 Mar 2005 1
Standards, Environments, and Macros pam_unix_cred(5)
can be identified as trustworthy. If the audit context is already initialized, thePAM_REINITIALIZE_CRED flag merges the current audit con-
text with that of the user specified in PAM_USER.
PAM_REINITIALIZE_CRED is useful when a user is assuming
a new identity, as with su(1M).PAM_DELETE_CRED
This flag has no effect and always returns PAM_SUCCESS.
The following options are interpreted: debug Provides syslog(3C) debugging information at theLOG_DEBUG level.
nowarn Disables any warning messages.ERRORS
Upon successful completion of pam_sm_setcred(), PAM_SUCCESS
is returned. The following error codes are returned upon error:PAM_CRED_UNAVAIL Underlying authentication service cannot
retrieve user credentialsPAM_CRED_EXPIRED User credentials have expired
PAM_USER_UNKNOWN User is unknown to the authentication
servicePAM_CRED_ERR Failure in setting user credentials
PAM_BUF_ERR Memory buffer error
PAM_SYSTEM_ERR System error
The following values are returned frompam_sm_authenticate():
SunOS 5.11 Last change: 9 Mar 2005 2
Standards, Environments, and Macros pam_unix_cred(5)
PAM_IGNORE Ignores this module regardless of the control
flagATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Interface Stability | Committed ||_____________________________|_____________________________|
| MT Level | MT-Safe with exceptions |
|_____________________________|_____________________________|
SEE ALSO
ssh(1), su(1M), settaskid(2), libpam(3LIB),getprojent(3PROJECT), pam(3PAM), pam_set_item(3PAM),
pam_sm_authenticate(3PAM), syslog(3C),
setproject(3PROJECT),pam.conf(4), nsswitch.conf(4), pro-
ject(4), attributes(5), pam_authtok_check(5),
pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5),
pam_passwd_auth(5), pam_unix_auth(5), pam_unix_account(5),
pam_unix_session(5), privileges(5)
NOTESThe interfaces in libpam(3LIB) are MT-Safe only if each
thread within the multi-threaded application uses its own
PAM handle. If this module is replaced, the audit context and credential may not be correctly configured.SunOS 5.11 Last change: 9 Mar 2005 3