pam_sm_chauthtok(3)pam_sm_chauthtok(3)NAMEpam_sm_chauthtok - Service provider implementation for pam_chauthtok
SYNOPSIS
[ flag ... ] file ... [ library ... ]
DESCRIPTION
In response to a call to the PAM framework calls from the modules
listed in the pam.conf(4) file. The password management provider sup‐
plies the back-end functionality for this interface function.
changes the authentication token associated with a particular user ref‐
erenced by the authentication handle, pamh.
The following flag may be passed in to
The password service should not generate any messages.
The password service should only update those passwords that have aged.
If this flag is not passed, the password
service should update all passwords.
The password service should only perform preliminary checks.
No passwords should be updated.
The password service should update passwords.
Note that and can not be set at the same time.
Upon successful completion of the call, the authentication token of the
user will be ready for change or will be changed (depending upon the
flag) in accordance with the authentication scheme configured within
the system.
The argc argument represents the number of module options passed in
from the configuration file pam.conf(4). argv specifies the module
options, which are interpreted and processed by the password management
service. Please refer to the specific module man pages for the various
available options.
It is the responsibility of to determine if the new password meets cer‐
tain strength requirements. may continue to re-prompt the user (for a
limited number of times) for a new password until the password entered
meets the strength requirements.
Before returning, should call and retrieve both and If both are NULL,
should set them to the new and old passwords as entered by the user.
APPLICATION USAGE
Refer to pam(3) for information on thread-safety of PAM interfaces.
NOTES
The PAM framework invokes the password services twice. The first time
the modules are invoked with the flag, During this stage, the password
modules should only perform preliminary checks (ping remote name ser‐
vices to see if they are ready for updates, for example). If a pass‐
word module detects a transient error (remote name service temporarily
down, for example) it should return to the PAM framework, which will
immediately return the error back to the application. If all password
modules pass the preliminary check, the PAM framework invokes the pass‐
word services again with the flag, During this stage, each password
module should proceed to update the appropriate password. Any error
will again be reported back to application.
If a service module receives the flag, it should check whether the
password has aged or expired. If the password has aged or expired,
then the service module should proceed to update the password. If the
status indicates that the password has not yet aged/expired, then the
password module should return
If a user's password has aged or expired, a PAM account module could
save this information as state in the authentication handle, pamh,
using The related password management module could retrieve this infor‐
mation using to determine whether or not it should prompt the user to
update the password for this particular module.
RETURN VALUES
Upon successful completion, must be returned. The following values may
also be returned:
No permission.
Authentication token manipulation error.
Old authentication token cannot be recovered.
Authentication token lock busy.
Authentication token aging disabled.
User unknown to password service.
Preliminary check by password service failed.
SEE ALSOpam(3), pam_chauthtok(3), pam.conf(4).
pam_sm_chauthtok(3)