2026-06-08 13:04 @216.73.217.65
CrawledBy Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
PAM(7) Linux-PAM Manual PAM(7) NAME PAM, pam - Pluggable Authentication Modules for Linux DESCRIPTION This manual is intended to offer a quick introduction to Linux-PAM. For more information the reader is directed to the Linux-PAM system administrators' guide. Linux-PAM is a system of libraries that handle the authentication tasks of applications (services) on the system. The library provides a stable general interface (Application Programming Interface - API) that privilege granting programs (such as login(1) and su(1)) defer to to perform standard authentication tasks. The principal feature of the PAM approach is that the nature of the authentication is dynamically configurable. In other words, the system administrator is free to choose how individual service-providing applications will authenticate users. This dynamic configuration is set by the contents of the single Linux-PAM configuration file /etc/pam.conf. Alternatively, the configuration can be set by individual configuration files located in the /etc/pam.d/ directory. The presence of this directory will cause Linux-PAM to ignore /etc/pam.conf. Vendor-supplied PAM configuration files might be installed in the system directory /usr/lib/pam.d/ or a configurable vendor specific directory instead of the machine configuration directory /etc/pam.d/. If no machine configuration file is found, the vendor-supplied file is used. All files in /etc/pam.d/ override files with the same name in other directories. From the point of view of the system administrator, for whom this manual is provided, it is not of primary importance to understand the internal behavior of the Linux-PAM library. The important point to recognize is that the configuration file(s) define the connection between applications (services) and the pluggable authentication modules (PAMs) that perform the actual authentication tasks. Linux-PAM separates the tasks of authentication into four independent management groups: account management; authentication management; password management; and session management. (We highlight the abbreviations used for these groups in the configuration file.) Simply put, these groups take care of different aspects of a typical user's request for a restricted service: account - provide account verification types of service: has the user's password expired?; is this user permitted access to the requested service? authentication - authenticate a user and set up user credentials. Typically this is via some challenge-response request that the user must satisfy: if you are who you claim to be please enter your password. Not all authentications are of this type, there exist hardware based authentication schemes (such as the use of smart-cards and biometric devices), with suitable modules, these may be substituted seamlessly for more standard approaches to authentication - such is the flexibility of Linux-PAM. password - this group's responsibility is the task of updating authentication mechanisms. Typically, such services are strongly coupled to those of the auth group. Some authentication mechanisms lend themselves well to being updated with such a function. Standard UN*X password-based access is the obvious example: please enter a replacement password. session - this group of tasks cover things that should be done prior to a service being given and after it is withdrawn. Such tasks include the maintenance of audit trails and the mounting of the user's home directory. The session management group is important as it provides both an opening and closing hook for modules to affect the services available to a user. FILES /etc/pam.conf the configuration file /etc/pam.d the Linux-PAM configuration directory. Generally, if this directory is present, the /etc/pam.conf file is ignored. /usr/lib/pam.d the Linux-PAM vendor configuration directory. Files in /etc/pam.d override files with the same name in this directory. <vendordir>/pam.d the Linux-PAM vendor configuration directory. Files in /etc/pam.d and /usr/lib/pam.d override files with the same name in this directory. Only available if Linux-PAM was compiled with vendordir enabled. ERRORS Typically errors generated by the Linux-PAM system of libraries, will be written to syslog(3). CONFORMING TO DCE-RFC 86.0, October 1995. Contains additional features, but remains backwardly compatible with this RFC. SEE ALSO pam(3), pam_authenticate(3), pam_sm_setcred(3), pam_strerror(3), PAM(7) Linux-PAM Manual 06/08/2020 PAM(7) PAM(3) Linux-PAM Manual PAM(3) NAME pam - Pluggable Authentication Modules Library SYNOPSIS #include <security/pam_appl.h> #include <security/pam_modules.h> #include <security/pam_ext.h> DESCRIPTION PAM is a system of libraries that handle the authentication tasks of applications (services) on the system. The library provides a stable general interface (Application Programming Interface - API) that privilege granting programs (such as login(1) and su(1)) defer to to perform standard authentication tasks. Initialization and Cleanup The pam_start(3) function creates the PAM context and initiates the PAM transaction. It is the first of the PAM functions that needs to be called by an application. The transaction state is contained entirely within the structure identified by this handle, so it is possible to have multiple transactions in parallel. But it is not possible to use the same handle for different transactions, a new one is needed for every new context. The pam_end(3) function terminates the PAM transaction and is the last function an application should call in the PAM context. Upon return the handle pamh is no longer valid and all memory associated with it will be invalid. It can be called at any time to terminate a PAM transaction. Authentication The pam_authenticate(3) function is used to authenticate the user. The user is required to provide an authentication token depending upon the authentication service, usually this is a password, but could also be a finger print. The pam_setcred(3) function manages the user's credentials. Account Management The pam_acct_mgmt(3) function is used to determine if the user's account is valid. It checks for authentication token and account expiration and verifies access restrictions. It is typically called after the user has been authenticated. Password Management The pam_chauthtok(3) function is used to change the authentication token for a given user on request or because the token has expired. Session Management The pam_open_session(3) function sets up a user session for a previously successful authenticated user. The session should later be terminated with a call to pam_close_session(3). Conversation The PAM library uses an application-defined callback to allow a direct communication between a loaded module and the application. This callback is specified by the struct pam_conv passed to pam_start(3) at the start of the transaction. See pam_conv(3) for details. Data Objects The pam_set_item(3) and pam_get_item(3) functions allows applications and PAM service modules to set and retrieve PAM information. The pam_get_user(3) function is the preferred method to obtain the username. The pam_set_data(3) and pam_get_data(3) functions allows PAM service modules to set and retrieve free-form data from one invocation to another. Environment and Error Management The pam_putenv(3), pam_getenv(3) and pam_getenvlist(3) functions are for maintaining a set of private environment variables. The pam_strerror(3) function returns a pointer to a string describing the given PAM error code. RETURN VALUES The following return codes are known by PAM: PAM_ABORT Critical error, immediate abort. PAM_ACCT_EXPIRED User account has expired. PAM_AUTHINFO_UNAVAIL Authentication service cannot retrieve authentication info. PAM_AUTHTOK_DISABLE_AGING Authentication token aging disabled. PAM_AUTHTOK_ERR Authentication token manipulation error. PAM_AUTHTOK_EXPIRED Authentication token expired. PAM_AUTHTOK_LOCK_BUSY Authentication token lock busy. PAM_AUTHTOK_RECOVERY_ERR Authentication information cannot be recovered. PAM_AUTH_ERR Authentication failure. PAM_BUF_ERR Memory buffer error. PAM_CONV_ERR Conversation failure. PAM_CRED_ERR Failure setting user credentials. PAM_CRED_EXPIRED User credentials expired. PAM_CRED_INSUFFICIENT Insufficient credentials to access authentication data. PAM_CRED_UNAVAIL Authentication service cannot retrieve user credentials. PAM_IGNORE The return value should be ignored by PAM dispatch. PAM_MAXTRIES Have exhausted maximum number of retries for service. PAM_MODULE_UNKNOWN Module is unknown. PAM_NEW_AUTHTOK_REQD Authentication token is no longer valid; new one required. PAM_NO_MODULE_DATA No module specific data is present. PAM_OPEN_ERR Failed to load module. PAM_PERM_DENIED Permission denied. PAM_SERVICE_ERR Error in service module. PAM_SESSION_ERR Cannot make/remove an entry for the specified session. PAM_SUCCESS Success. PAM_SYMBOL_ERR Symbol not found. PAM_SYSTEM_ERR System error. PAM_TRY_AGAIN Failed preliminary check by password service. PAM_USER_UNKNOWN User not known to the underlying authentication module. SEE ALSO pam_acct_mgmt(3), pam_authenticate(3), pam_chauthtok(3), pam_close_session(3), pam_conv(3), pam_end(3), pam_get_data(3), pam_getenv(3), pam_getenvlist(3), pam_get_item(3), pam_get_user(3), pam_open_session(3), pam_putenv(3), pam_set_data(3), pam_set_item(3), pam_setcred(3), pam_start(3), pam_strerror(3) NOTES The libpam interfaces are only thread-safe if each thread within the multithreaded application uses its own PAM handle. Linux-PAM Manual 06/08/2020 PAM(3) pam(5) File Formats Manual pam(5) NAME pam - portable arbitrary map file format DESCRIPTION The PAM image format is a lowest common denominator 2 dimensional map format. It is designed to be used for any of myriad kinds of graphics, but can theoretically be used for any kind of data that is arranged as a two dimensional rectangular array. Actually, from another perspective it can be seen as a format for data arranged as a three dimensional array. This format does not define the meaning of the data at any particular point in the array. It could be red, green, and blue light intensities such that the array represents a visual image, or it could be the same red, green, and blue components plus a transparency component, or it could contain annual rainfalls for places on the surface of the Earth. Any process that uses the PAM format must further define the format to specify the meanings of the data. A PAM image describes a two dimensional grid of tuples. The tuples are arranged in rows and columns. The width of the image is the number of columns. The height of the image is the number of rows. All rows are the same width and all columns are the same height. The tuples may have any degree, but all tuples have the same degree. The degree of the tuples is called the depth of the image. Each member of a tuple is called a sample. A sample is an unsigned integer which represents a locus along a scale which starts at zero and ends at a certain maximum value greater than zero called the maxval. The maxval is the same for every sample in the image. The two dimensional array of all the Nth samples of each tuple is called the Nth plane or Nth channel of the im- age. Though the format does not assign any meaning to the tuple values, it does include an optional string that describes that meaning. The con- tents of this string, called the tuple type, are arbitrary from the point of view of the PAM format, but users of the format may assign meaning to it by convention so they can identify their particular im- plementations of the PAM format. The Layout A PAM file consists of a sequence of one or more PAM images. There are no data, delimiters, or padding before, after, or between images. Each PAM image consists of a header followed immediately by a raster. Here is an example header: P7 WIDTH 227 HEIGHT 149 DEPTH 3 MAXVAL 255 TUPLTYPE RGB ENDHDR The header begins with the ASCII characters "P7" followed by newline. This is the magic number. The header continues with an arbitrary number of lines of ASCII text. Each line ends with and is delimited by a newline character. Each header line consists of zero or more whitespace-delimited tokens or begins with "#". If it begins with "#" it is a comment and the rest of this specification does not apply to it. A header line which has zero tokens is valid but has no meaning. The type of header line is identified by its first token, which is 8 characters or less: ENDHDR This is the last line in the header. The header must contain exactly one of these header lines. HEIGHT The second token is a decimal number representing the height of the image (number of rows). The header must contain exactly one of these header lines. WIDTH The second token is a decimal number representing the width of the image (number of columns). The header must contain exactly one of these header lines. DEPTH The second token is a decimal number representing the depth of the image (number of planes or channels). The header must con- tain exactly one of these header lines. MAXVAL The second token is a decimal number representing the maxval of the image. The header must contain exactly one of these header lines. TUPLTYPE The header may contain any number of these header lines, includ- ing zero. The rest of the line is part of the tuple type. The rest of the line is not tokenized, but the tuple type does not include any white space immediately following TUPLTYPE or at the very end of the line. It does not include a newline. If there are multiple TUPLTYPE header lines, the tuple type is the con- catenation of the values from each of them, separated by a sin- gle blank, in the order in which they appear in the header. If there are no TUPLTYPE header lines the tuple type is the null string. The raster consists of each row of the image, in order from top to bot- tom, consecutive with no delimiter of any kind between, before, or af- ter, rows. Each row consists of every tuple in the row, in order from left to right, consecutive with no delimiter of any kind between, before, or after, tuples. Each tuple consists of every sample in the tuple, in order, consecutive with no delimiter of any kind between, before, or after, samples. Each sample consists of an unsigned integer in pure binary format, with the most significant byte first. The number of bytes is the minimum number of bytes required to represent the maxval of the image. PAM Used For PNM (PBM, PGM, or PPM) Images A common use of PAM images is to represent the older and more concrete PBM, PGM, and PPM images. A PBM image is conventionally represented as a PAM image of depth 1 with maxval 1 where the one sample in each tuple is 0 to represent a black pixel and 1 to represent a white one. The height, width, and raster bear the obvious relationship to those of the PBM image. The tuple type for PBM images represented as PAM images is conventionally "BLACKANDWHITE". A PGM image is conventionally represented as a PAM image of depth 1. The maxval, height, width, and raster bear the obvious relationship to those of the PGM image. The tuple type for PGM images represented as PAM images is conventionally "GRAYSCALE". A PPM image is conventionally represented as a PAM image of depth 3. The maxval, height, width, and raster bear the obvious relationship to those of the PPM image. The first plane represents red, the second green, and the third blue. The tuple type for PPM images represented as PAM images is conventionally "RGB". The Confusing Universe of Netpbm Formats It is easy to get confused about the relationship between the PAM for- mat and PBM, PGM, PPM, and PNM. Here is a little enlightenment: "PNM" is not really a format. It is a shorthand for the PBM, PGM, and PPM formats collectively. It is also the name of a group of library functions that can each handle all three of those formats. "PAM" is in fact a fourth format. But it is so general that you can represent the same information in a PAM image as you can in a PBM, PGM, or PPM image. And in fact a program that is designed to read PBM, PGM, or PPM and does so with a recent version of the Netpbm library, will read an equivalent PAM image just fine and the program will never know the difference. To confuse things more, there is a collection of library routines called the "pam" functions that read and write the PAM format, but also read and write the PBM, PGM, and PPM formats. They do this because the latter formats are much older and more popular, so this makes it conve- nient to write programs that use the newer PAM format. SEE ALSO pbm(5), pgm(5), ppm(5), pnm(5), libpnm(3) 31 July 2000 pam(5)
Generated by phpMan v3.6.3-2-gc817beb Author: Che Dong Under GNU General Public License
2026-06-08 13:04 @216.73.217.65
CrawledBy Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)