xref: /illumos-gate/usr/src/lib/libpam/pam_appl.h (revision 03831d35) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #ifndef _PAM_APPL_H
28 #define	_PAM_APPL_H
29 
30 #pragma ident	"%Z%%M%	%I%	%E% SMI"
31 
32 #include <sys/types.h>
33 
34 #ifdef	__cplusplus
35 extern "C" {
36 #endif
37 
38 /* Generic PAM errors */
39 #define	PAM_SUCCESS		0	/* Normal function return */
40 #define	PAM_OPEN_ERR		1	/* Dlopen failure */
41 #define	PAM_SYMBOL_ERR		2	/* Symbol not found */
42 #define	PAM_SERVICE_ERR		3	/* Error in underlying service module */
43 #define	PAM_SYSTEM_ERR		4	/* System error */
44 #define	PAM_BUF_ERR		5	/* Memory buffer error */
45 #define	PAM_CONV_ERR		6	/* Conversation failure */
46 #define	PAM_PERM_DENIED		7	/* Permission denied */
47 
48 /* Errors returned by pam_authenticate, pam_acct_mgmt(), and pam_setcred() */
49 #define	PAM_MAXTRIES		8	/* Maximum number of tries exceeded */
50 #define	PAM_AUTH_ERR		9	/* Authentication failure */
51 #define	PAM_NEW_AUTHTOK_REQD	10	/* Get new auth token from the user */
52 #define	PAM_CRED_INSUFFICIENT	11	/* can not access auth data b/c */
53 					/* of insufficient credentials  */
54 #define	PAM_AUTHINFO_UNAVAIL	12	/* Can not retrieve auth information */
55 #define	PAM_USER_UNKNOWN	13	/* No account present for user */
56 
57 /* Errors returned by pam_setcred() */
58 #define	PAM_CRED_UNAVAIL	14	/* can not retrieve user credentials */
59 #define	PAM_CRED_EXPIRED	15	/* user credentials expired */
60 #define	PAM_CRED_ERR		16	/* failure setting user credentials */
61 
62 /* Errors returned by pam_acct_mgmt() */
63 #define	PAM_ACCT_EXPIRED	17	/* user account has expired */
64 #define	PAM_AUTHTOK_EXPIRED 	18	/* Password expired and no longer */
65 					/* usable */
66 
67 /* Errors returned by pam_open/close_session() */
68 #define	PAM_SESSION_ERR		19	/* can not make/remove entry for */
69 					/* specified session */
70 
71 /* Errors returned by pam_chauthtok() */
72 #define	PAM_AUTHTOK_ERR		  20	/* Authentication token */
73 					/*   manipulation error */
74 #define	PAM_AUTHTOK_RECOVERY_ERR  21	/* Old authentication token */
75 					/*   cannot be recovered */
76 #define	PAM_AUTHTOK_LOCK_BUSY	  22	/* Authentication token */
77 					/*   lock busy */
78 #define	PAM_AUTHTOK_DISABLE_AGING 23	/* Authentication token aging */
79 					/*   is disabled */
80 
81 /* Errors returned by pam_get_data */
82 #define	PAM_NO_MODULE_DATA	24	/* module data not found */
83 
84 /* Errors returned by modules */
85 #define	PAM_IGNORE		25	/* ignore module */
86 
87 #define	PAM_ABORT		26	/* General PAM failure */
88 #define	PAM_TRY_AGAIN		27	/* Unable to update password */
89 					/* Try again another time */
90 #define	PAM_TOTAL_ERRNUM	28
91 
92 /*
93  * structure pam_message is used to pass prompt, error message,
94  * or any text information from scheme to application/user.
95  */
96 
97 struct pam_message {
98 	int msg_style;		/* Msg_style - see below */
99 	char *msg; 		/* Message string */
100 };
101 
102 /*
103  * msg_style defines the interaction style between the
104  * scheme and the application.
105  */
106 #define	PAM_PROMPT_ECHO_OFF	1	/* Echo off when getting response */
107 #define	PAM_PROMPT_ECHO_ON	2 	/* Echo on when getting response */
108 #define	PAM_ERROR_MSG		3	/* Error message */
109 #define	PAM_TEXT_INFO		4	/* Textual information */
110 
111 /*
112  * Sun's proprietary message types
113  * Can these new new message types supported in version 2
114  * have the numbers like -XXX (ie., negative numbers).
115  * Hence will not clash with new proposals from X/OPEN
116  */
117 #define	PAM_MSG_NOCONF		2001	/* No confirmation from user */
118 #define	PAM_CONV_INTERRUPT	2002	/* Return from conv() */
119 
120 /*
121  * max # of messages passed to the application through the
122  * conversation function call
123  */
124 #define	PAM_MAX_NUM_MSG	32
125 
126 /*
127  * max size (in chars) of each messages passed to the application
128  * through the conversation function call
129  */
130 #define	PAM_MAX_MSG_SIZE	512
131 
132 /*
133  * max size (in chars) of each response passed from the application
134  * through the conversation function call
135  */
136 #define	PAM_MAX_RESP_SIZE	512
137 
138 /*
139  * structure pam_response is used by the scheme to get the user's
140  * response back from the application/user.
141  */
142 
143 struct pam_response {
144 	char *resp;		/* Response string */
145 	int resp_retcode;	/* Return code - for future use */
146 };
147 
148 /*
149  * structure pam_conv is used by authentication applications for passing
150  * call back function pointers and application data pointers to the scheme
151  */
152 struct pam_conv {
153 	int (*conv)(int, struct pam_message **,
154 	    struct pam_response **, void *);
155 	void *appdata_ptr;		/* Application data ptr */
156 };
157 
158 /* the pam handle */
159 typedef struct pam_handle pam_handle_t;
160 
161 /*
162  * pam_start() is called to initiate an authentication exchange
163  * with PAM.
164  */
165 extern int
166 pam_start(
167 	const char *service_name,		/* Service Name */
168 	const char *user,			/* User Name */
169 	const struct pam_conv *pam_conv,	/* Conversation structure */
170 	pam_handle_t **pamh		/* Address to store handle */
171 );
172 
173 /*
174  * pam_end() is called to end an authentication exchange with PAM.
175  */
176 extern int
177 pam_end(
178 	pam_handle_t *pamh,		/* handle from pam_start() */
179 	int status			/* the final status value that */
180 					/* gets passed to cleanup functions */
181 );
182 
183 /*
184  * pam_set_item is called to store an object in PAM handle.
185  */
186 extern int
187 pam_set_item(
188 	pam_handle_t *pamh,		/* PAM handle */
189 	int item_type, 			/* Type of object - see below */
190 	const void *item		/* Address of place to put pointer */
191 					/*   to object */
192 );
193 
194 /*
195  * pam_get_item is called to retrieve an object from the static data area
196  */
197 extern int
198 pam_get_item(
199 	const pam_handle_t *pamh, 	/* PAM handle */
200 	int item_type, 			/* Type of object - see below */
201 	void **	item			/* Address of place to put pointer */
202 					/*   to object */
203 );
204 
205 /* Items supported by pam_[sg]et_item() calls */
206 #define	PAM_SERVICE	1		/* The program/service name */
207 #define	PAM_USER	2		/* The user name */
208 #define	PAM_TTY		3		/* The tty name */
209 #define	PAM_RHOST	4		/* The remote host name */
210 #define	PAM_CONV	5		/* The conversation structure */
211 #define	PAM_AUTHTOK	6		/* The authentication token */
212 #define	PAM_OLDAUTHTOK	7		/* Old authentication token */
213 #define	PAM_RUSER	8		/* The remote user name */
214 #define	PAM_USER_PROMPT	9		/* The user prompt */
215 #define	PAM_REPOSITORY	10		/* The repository to be updated */
216 #define	PAM_RESOURCE	11		/* Resource management info */
217 
218 /* pam repository structure */
219 
220 struct pam_repository {
221 	char   *type;		/* Repository type, e.g., files, nis, ldap */
222 	void   *scope;		/* Optional scope information */
223 	size_t  scope_len;	/* length of scope inforamtion */
224 };
225 
226 typedef struct pam_repository pam_repository_t;
227 
228 /*
229  * PAM message version.
230  * Sun proprietary pam_[sg]et_item() extension
231  */
232 #define	PAM_MSG_VERSION	3001		/* PAM message version supported */
233 #define	PAM_MSG_VERSION_V2 "2.0"	/* PAM 2.0 message version */
234 
235 /*
236  * pam_get_user is called to retrieve the user name (PAM_USER). If PAM_USER
237  * is not set then this call will prompt for the user name using the
238  * conversation function. This function should only be used by modules, not
239  * applications.
240  */
241 
242 extern int
243 pam_get_user(
244 	pam_handle_t *pamh,		/* PAM handle */
245 	char **user, 			/* User Name */
246 	const char *prompt		/* Prompt */
247 );
248 
249 /*
250  * PAM equivalent to strerror();
251  */
252 extern const char *
253 pam_strerror(
254 	pam_handle_t *pamh,	/* pam handle */
255 	int errnum		/* error number */
256 );
257 
258 /* general flag for pam_* functions */
259 #define	PAM_SILENT	0x80000000
260 
261 /*
262  * pam_authenticate is called to authenticate the current user.
263  */
264 extern int
265 pam_authenticate(
266 	pam_handle_t *pamh,
267 	int flags
268 );
269 
270 /*
271  * Flags for pam_authenticate
272  */
273 
274 #define	PAM_DISALLOW_NULL_AUTHTOK 0x1	/* The password must be non-null */
275 
276 /*
277  * pam_acct_mgmt is called to perform account management processing
278  */
279 extern int
280 pam_acct_mgmt(
281 	pam_handle_t *pamh,
282 	int flags
283 );
284 
285 /*
286  * pam_open_session is called to note the initiation of new session in the
287  * appropriate administrative data bases.
288  */
289 extern int
290 pam_open_session(
291 	pam_handle_t *pamh,
292 	int flags
293 );
294 
295 /*
296  * pam_close_session records the termination of a session.
297  */
298 extern int
299 pam_close_session(
300 	pam_handle_t	*pamh,
301 	int		flags
302 );
303 
304 /* pam_setcred is called to set the credentials of the current user */
305 extern int
306 pam_setcred(
307 	pam_handle_t *pamh,
308 	int flags
309 );
310 
311 /* flags for pam_setcred() */
312 #define	PAM_ESTABLISH_CRED	0x1	/* set scheme specific user id */
313 #define	PAM_DELETE_CRED		0x2	/* unset scheme specific user id */
314 #define	PAM_REINITIALIZE_CRED	0x4	/* reinitialize user credentials */
315 					/* (after a password has changed */
316 #define	PAM_REFRESH_CRED	0x8	/* extend lifetime of credentials */
317 
318 /* pam_chauthtok is called to change authentication token */
319 
320 extern int
321 pam_chauthtok(
322 	pam_handle_t	*pamh,
323 	int		flags
324 );
325 
326 /*
327  * Be careful - there are flags defined for pam_sm_chauthtok() in
328  * pam_modules.h also:
329  * PAM_PRELIM_CHECK	0x1
330  * PAM_UPDATE_AUTHTOK	0x2
331  */
332 #define	PAM_CHANGE_EXPIRED_AUTHTOK	0x4 /* update expired passwords only */
333 #define	PAM_NO_AUTHTOK_CHECK		0x8 /* bypass password strength tests */
334 
335 /* pam_putenv is called to add environment variables to the PAM handle */
336 
337 extern int
338 pam_putenv(
339 	pam_handle_t	*pamh,
340 	const char	*name_value
341 );
342 
343 /* pam_getenv is called to retrieve an env variable from the PAM handle */
344 
345 extern char *
346 pam_getenv(
347 	pam_handle_t	*pamh,
348 	const char	*name
349 );
350 
351 /* pam_getenvlist is called to retrieve all env variables from the PAM handle */
352 
353 extern char **
354 pam_getenvlist(
355 	pam_handle_t	*pamh
356 );
357 
358 #ifdef	__cplusplus
359 }
360 #endif
361 
362 #endif /* _PAM_APPL_H */
363