xref: /illumos-gate/usr/src/lib/libpam/pam_appl.h (revision cbea7aca) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  *
25  * Copyright 2023 OmniOS Community Edition (OmniOSce) Association.
26  */
27 
28 #ifndef _PAM_APPL_H
29 #define	_PAM_APPL_H
30 
31 #include <sys/types.h>
32 
33 #ifdef	__cplusplus
34 extern "C" {
35 #endif
36 
37 /* Generic PAM errors */
38 #define	PAM_SUCCESS		0	/* Normal function return */
39 #define	PAM_OPEN_ERR		1	/* Dlopen failure */
40 #define	PAM_SYMBOL_ERR		2	/* Symbol not found */
41 #define	PAM_SERVICE_ERR		3	/* Error in underlying service module */
42 #define	PAM_SYSTEM_ERR		4	/* System error */
43 #define	PAM_BUF_ERR		5	/* Memory buffer error */
44 #define	PAM_CONV_ERR		6	/* Conversation failure */
45 #define	PAM_PERM_DENIED		7	/* Permission denied */
46 
47 /* Errors returned by pam_authenticate, pam_acct_mgmt(), and pam_setcred() */
48 #define	PAM_MAXTRIES		8	/* Maximum number of tries exceeded */
49 #define	PAM_AUTH_ERR		9	/* Authentication failure */
50 #define	PAM_NEW_AUTHTOK_REQD	10	/* Get new auth token from the user */
51 #define	PAM_CRED_INSUFFICIENT	11	/* can not access auth data b/c */
52 					/* of insufficient credentials  */
53 #define	PAM_AUTHINFO_UNAVAIL	12	/* Can not retrieve auth information */
54 #define	PAM_USER_UNKNOWN	13	/* No account present for user */
55 
56 /* Errors returned by pam_setcred() */
57 #define	PAM_CRED_UNAVAIL	14	/* can not retrieve user credentials */
58 #define	PAM_CRED_EXPIRED	15	/* user credentials expired */
59 #define	PAM_CRED_ERR		16	/* failure setting user credentials */
60 
61 /* Errors returned by pam_acct_mgmt() */
62 #define	PAM_ACCT_EXPIRED	17	/* user account has expired */
63 #define	PAM_AUTHTOK_EXPIRED 	18	/* Password expired and no longer */
64 					/* usable */
65 
66 /* Errors returned by pam_open/close_session() */
67 #define	PAM_SESSION_ERR		19	/* can not make/remove entry for */
68 					/* specified session */
69 
70 /* Errors returned by pam_chauthtok() */
71 #define	PAM_AUTHTOK_ERR		  20	/* Authentication token */
72 					/*   manipulation error */
73 #define	PAM_AUTHTOK_RECOVERY_ERR  21	/* Old authentication token */
74 					/*   cannot be recovered */
75 #define	PAM_AUTHTOK_LOCK_BUSY	  22	/* Authentication token */
76 					/*   lock busy */
77 #define	PAM_AUTHTOK_DISABLE_AGING 23	/* Authentication token aging */
78 					/*   is disabled */
79 
80 /* Errors returned by pam_get_data */
81 #define	PAM_NO_MODULE_DATA	24	/* module data not found */
82 
83 /* Errors returned by modules */
84 #define	PAM_IGNORE		25	/* ignore module */
85 
86 #define	PAM_ABORT		26	/* General PAM failure */
87 #define	PAM_TRY_AGAIN		27	/* Unable to update password */
88 					/* Try again another time */
89 #define	PAM_TOTAL_ERRNUM	28
90 
91 /*
92  * structure pam_message is used to pass prompt, error message,
93  * or any text information from scheme to application/user.
94  */
95 
96 struct pam_message {
97 	int msg_style;		/* Msg_style - see below */
98 	char *msg; 		/* Message string */
99 };
100 
101 /*
102  * msg_style defines the interaction style between the
103  * scheme and the application.
104  */
105 #define	PAM_PROMPT_ECHO_OFF	1	/* Echo off when getting response */
106 #define	PAM_PROMPT_ECHO_ON	2 	/* Echo on when getting response */
107 #define	PAM_ERROR_MSG		3	/* Error message */
108 #define	PAM_TEXT_INFO		4	/* Textual information */
109 
110 /*
111  * max # of messages passed to the application through the
112  * conversation function call
113  */
114 #define	PAM_MAX_NUM_MSG	32
115 
116 /*
117  * max size (in chars) of each messages passed to the application
118  * through the conversation function call
119  */
120 #define	PAM_MAX_MSG_SIZE	512
121 
122 /*
123  * max size (in chars) of each response passed from the application
124  * through the conversation function call
125  */
126 #define	PAM_MAX_RESP_SIZE	512
127 
128 /*
129  * structure pam_response is used by the scheme to get the user's
130  * response back from the application/user.
131  */
132 
133 struct pam_response {
134 	char *resp;		/* Response string */
135 	int resp_retcode;	/* Return code - for future use */
136 };
137 
138 /*
139  * structure pam_conv is used by authentication applications for passing
140  * call back function pointers and application data pointers to the scheme
141  */
142 struct pam_conv {
143 #ifdef _PAM_LEGACY_NONCONST
144 	int (*conv)(int, struct pam_message **,
145 #else
146 	int (*conv)(int, const struct pam_message **,
147 #endif
148 	    struct pam_response **, void *);
149 	void *appdata_ptr;		/* Application data ptr */
150 };
151 
152 /* the pam handle */
153 typedef struct pam_handle pam_handle_t;
154 
155 /*
156  * pam_start() is called to initiate an authentication exchange
157  * with PAM.
158  */
159 extern int
160 pam_start(
161 	const char *service_name,		/* Service Name */
162 	const char *user,			/* User Name */
163 	const struct pam_conv *pam_conv,	/* Conversation structure */
164 	pam_handle_t **pamh		/* Address to store handle */
165 );
166 
167 /*
168  * pam_end() is called to end an authentication exchange with PAM.
169  */
170 extern int
171 pam_end(
172 	pam_handle_t *pamh,		/* handle from pam_start() */
173 	int status			/* the final status value that */
174 					/* gets passed to cleanup functions */
175 );
176 
177 /*
178  * pam_set_item is called to store an object in PAM handle.
179  */
180 extern int
181 pam_set_item(
182 	pam_handle_t *pamh,		/* PAM handle */
183 	int item_type, 			/* Type of object - see below */
184 	const void *item		/* Address of place to put pointer */
185 					/*   to object */
186 );
187 
188 /*
189  * pam_get_item is called to retrieve an object from the static data area
190  */
191 extern int
192 pam_get_item(
193 	const pam_handle_t *pamh, 	/* PAM handle */
194 	int item_type, 			/* Type of object - see below */
195 #ifdef _PAM_LEGACY_NONCONST
196 	void **item			/* Address of place to put pointer */
197 #else
198 	const void **item		/* Address of place to put pointer */
199 #endif
200 					/*   to object */
201 );
202 
203 /* Items supported by pam_[sg]et_item() calls */
204 #define	PAM_SERVICE	1		/* The program/service name */
205 #define	PAM_USER	2		/* The user name */
206 #define	PAM_TTY		3		/* The tty name */
207 #define	PAM_RHOST	4		/* The remote host name */
208 #define	PAM_CONV	5		/* The conversation structure */
209 #define	PAM_AUTHTOK	6		/* The authentication token */
210 #define	PAM_OLDAUTHTOK	7		/* Old authentication token */
211 #define	PAM_RUSER	8		/* The remote user name */
212 #define	PAM_USER_PROMPT	9		/* The user prompt */
213 #define	PAM_REPOSITORY	10		/* The repository to be updated */
214 #define	PAM_RESOURCE	11		/* Resource management info */
215 #define	PAM_AUSER	12		/* The authenticated user name */
216 
217 /* pam repository structure */
218 
219 struct pam_repository {
220 	char   *type;		/* Repository type, e.g., files, nis, ldap */
221 	void   *scope;		/* Optional scope information */
222 	size_t  scope_len;	/* length of scope inforamtion */
223 };
224 
225 typedef struct pam_repository pam_repository_t;
226 
227 /*
228  * pam_get_user is called to retrieve the user name (PAM_USER). If PAM_USER
229  * is not set then this call will prompt for the user name using the
230  * conversation function. This function should only be used by modules, not
231  * applications.
232  */
233 
234 extern int
235 pam_get_user(
236 	pam_handle_t *pamh,	/* PAM handle */
237 #ifdef _PAM_LEGACY_NONCONST
238 	char **user, 		/* User Name */
239 #else
240 	const char **user, 	/* User Name */
241 #endif
242 	const char *prompt	/* Prompt */
243 );
244 
245 /*
246  * PAM equivalent to strerror();
247  */
248 extern const char *
249 pam_strerror(
250 	pam_handle_t *pamh,	/* pam handle */
251 	int errnum		/* error number */
252 );
253 
254 /* general flag for pam_* functions */
255 #define	PAM_SILENT	0x80000000
256 
257 /*
258  * pam_authenticate is called to authenticate the current user.
259  */
260 extern int
261 pam_authenticate(
262 	pam_handle_t *pamh,
263 	int flags
264 );
265 
266 /*
267  * Flags for pam_authenticate
268  */
269 
270 #define	PAM_DISALLOW_NULL_AUTHTOK 0x1	/* The password must be non-null */
271 
272 /*
273  * pam_acct_mgmt is called to perform account management processing
274  */
275 extern int
276 pam_acct_mgmt(
277 	pam_handle_t *pamh,
278 	int flags
279 );
280 
281 /*
282  * pam_open_session is called to note the initiation of new session in the
283  * appropriate administrative data bases.
284  */
285 extern int
286 pam_open_session(
287 	pam_handle_t *pamh,
288 	int flags
289 );
290 
291 /*
292  * pam_close_session records the termination of a session.
293  */
294 extern int
295 pam_close_session(
296 	pam_handle_t	*pamh,
297 	int		flags
298 );
299 
300 /* pam_setcred is called to set the credentials of the current user */
301 extern int
302 pam_setcred(
303 	pam_handle_t *pamh,
304 	int flags
305 );
306 
307 /* flags for pam_setcred() */
308 #define	PAM_ESTABLISH_CRED	0x1	/* set scheme specific user id */
309 #define	PAM_DELETE_CRED		0x2	/* unset scheme specific user id */
310 #define	PAM_REINITIALIZE_CRED	0x4	/* reinitialize user credentials */
311 					/* (after a password has changed */
312 #define	PAM_REFRESH_CRED	0x8	/* extend lifetime of credentials */
313 
314 /* pam_chauthtok is called to change authentication token */
315 
316 extern int
317 pam_chauthtok(
318 	pam_handle_t	*pamh,
319 	int		flags
320 );
321 
322 /*
323  * Be careful - there are flags defined for pam_sm_chauthtok() in
324  * pam_modules.h also:
325  * PAM_PRELIM_CHECK	0x1
326  * PAM_UPDATE_AUTHTOK	0x2
327  */
328 #define	PAM_CHANGE_EXPIRED_AUTHTOK	0x4 /* update expired passwords only */
329 #define	PAM_NO_AUTHTOK_CHECK		0x8 /* bypass password strength tests */
330 
331 /* pam_putenv is called to add environment variables to the PAM handle */
332 
333 extern int
334 pam_putenv(
335 	pam_handle_t	*pamh,
336 	const char	*name_value
337 );
338 
339 /* pam_getenv is called to retrieve an env variable from the PAM handle */
340 
341 #ifdef _PAM_LEGACY_NONCONST
342 extern char *
343 #else
344 extern const char *
345 #endif
346 pam_getenv(
347 	pam_handle_t	*pamh,
348 	const char	*name
349 );
350 
351 /* pam_getenvlist is called to retrieve all env variables from the PAM handle */
352 
353 extern char **
354 pam_getenvlist(
355 	pam_handle_t	*pamh
356 );
357 
358 #ifdef	__cplusplus
359 }
360 #endif
361 
362 #endif /* _PAM_APPL_H */
363