The PAM SPI | LDAP in the Solaris Operating Environment[c] Deploying Secure Directory Services

The PAM service modules are a set of dynamically loadable objects invoked by the PAM SPI to provide a particular type of user authentication. The functions comprising the PAM SPI are provided by the modules called by the PAM infrastructure, and are grouped, in the following sections, on the basis of the module type.

Authentication Module Functions

These authentication module functions are used to authenticate the user and the current process.

pam_sm_authenticate() module function is called to verify the identity of the current user, as specified by the PAM_USER item.
pam_sm_setcred() module function is called to set the credentials of the current process associated with the authentication handle supplied. Typically, this process is done after the user has been authenticated.

Note

A service module that is specified as auth must implement both interfaces. If the module has no credentials to set, the pam_sm_setcred function should return the PAM_IGNORE value.

Account Management Module Function

This account management module function is used to validate the account of the user when signing on. It is meant to check for password and account expiration, valid login times, and so on.

pam_sm_acct_mgmt()

Session Management Module Functions

These session management module functions are called on the initiation and termination of a login session.

pam_sm_open_session()
pam_sm_close_session()

Password Management Module Function

This password management module function is called to change the authentication token (password) associated with the user.

pam_sm_chauthtok()

Note

For an understanding of the relationship between the different APIs, please refer to the PAM Framework Architecture documentation available at http://docs.sun.com.