2
* <security/_pam_types.h>
4
* $Id: _pam_types.h,v 1.1 2001/04/29 04:17:10 hartmans Exp $
6
* This file defines all of the types common to the Linux-PAM library
7
* applications and modules.
9
* Note, the copyright+license information is at end of file.
11
* Created: 1996/3/5 by AGM
14
#ifndef _SECURITY__PAM_TYPES_H
15
#define _SECURITY__PAM_TYPES_H
17
#ifndef __LIBPAM_VERSION
18
# define __LIBPAM_VERSION __libpam_version
20
extern unsigned int __libpam_version;
23
* include local definition for POSIX - NULL
28
/* This is a blind structure; users aren't allowed to see inside a
29
* pam_handle_t, so we don't define struct pam_handle here. This is
30
* defined in a file private to the PAM library. (i.e., it's private
31
* to PAM service modules, too!) */
33
typedef struct pam_handle pam_handle_t;
35
/* ----------------- The Linux-PAM return values ------------------ */
37
#define PAM_SUCCESS 0 /* Successful function return */
38
#define PAM_OPEN_ERR 1 /* dlopen() failure when dynamically */
39
/* loading a service module */
40
#define PAM_SYMBOL_ERR 2 /* Symbol not found */
41
#define PAM_SERVICE_ERR 3 /* Error in service module */
42
#define PAM_SYSTEM_ERR 4 /* System error */
43
#define PAM_BUF_ERR 5 /* Memory buffer error */
44
#define PAM_PERM_DENIED 6 /* Permission denied */
45
#define PAM_AUTH_ERR 7 /* Authentication failure */
46
#define PAM_CRED_INSUFFICIENT 8 /* Can not access authentication data */
47
/* due to insufficient credentials */
48
#define PAM_AUTHINFO_UNAVAIL 9 /* Underlying authentication service */
49
/* can not retrieve authenticaiton */
51
#define PAM_USER_UNKNOWN 10 /* User not known to the underlying */
52
/* authenticaiton module */
53
#define PAM_MAXTRIES 11 /* An authentication service has */
54
/* maintained a retry count which has */
55
/* been reached. No further retries */
56
/* should be attempted */
57
#define PAM_NEW_AUTHTOK_REQD 12 /* New authentication token required. */
58
/* This is normally returned if the */
59
/* machine security policies require */
60
/* that the password should be changed */
61
/* beccause the password is NULL or it */
63
#define PAM_ACCT_EXPIRED 13 /* User account has expired */
64
#define PAM_SESSION_ERR 14 /* Can not make/remove an entry for */
65
/* the specified session */
66
#define PAM_CRED_UNAVAIL 15 /* Underlying authentication service */
67
/* can not retrieve user credentials */
69
#define PAM_CRED_EXPIRED 16 /* User credentials expired */
70
#define PAM_CRED_ERR 17 /* Failure setting user credentials */
71
#define PAM_NO_MODULE_DATA 18 /* No module specific data is present */
72
#define PAM_CONV_ERR 19 /* Conversation error */
73
#define PAM_AUTHTOK_ERR 20 /* Authentication token manipulation error */
74
#define PAM_AUTHTOK_RECOVER_ERR 21 /* Authentication information */
75
/* cannot be recovered */
76
#define PAM_AUTHTOK_LOCK_BUSY 22 /* Authentication token lock busy */
77
#define PAM_AUTHTOK_DISABLE_AGING 23 /* Authentication token aging disabled */
78
#define PAM_TRY_AGAIN 24 /* Preliminary check by password service */
79
#define PAM_IGNORE 25 /* Ingore underlying account module */
80
/* regardless of whether the control */
81
/* flag is required, optional, or sufficient */
82
#define PAM_ABORT 26 /* Critical error (?module fail now request) */
83
#define PAM_AUTHTOK_EXPIRED 27 /* user's authentication token has expired */
84
#define PAM_MODULE_UNKNOWN 28 /* module is not known */
86
#define PAM_BAD_ITEM 29 /* Bad item passed to pam_*_item() */
87
#define PAM_CONV_AGAIN 30 /* conversation function is event driven
88
and data is not available yet */
89
#define PAM_INCOMPLETE 31 /* please call this function again to
90
complete authentication stack. Before
91
calling again, verify that conversation
95
* Add new #define's here - take care to also extend the libpam code:
96
* pam_strerror() and "libpam/pam_tokens.h" .
99
#define _PAM_RETURN_VALUES 32 /* this is the number of return values */
102
/* ---------------------- The Linux-PAM flags -------------------- */
104
/* Authentication service should not generate any messages */
105
#define PAM_SILENT 0x8000U
107
/* Note: these flags are used by pam_authenticate{,_secondary}() */
109
/* The authentication service should return PAM_AUTH_ERROR if the
110
* user has a null authentication token */
111
#define PAM_DISALLOW_NULL_AUTHTOK 0x0001U
113
/* Note: these flags are used for pam_setcred() */
115
/* Set user credentials for an authentication service */
116
#define PAM_ESTABLISH_CRED 0x0002U
118
/* Delete user credentials associated with an authentication service */
119
#define PAM_DELETE_CRED 0x0004U
121
/* Reinitialize user credentials */
122
#define PAM_REINITIALIZE_CRED 0x0008U
124
/* Extend lifetime of user credentials */
125
#define PAM_REFRESH_CRED 0x0010U
127
/* Note: these flags are used by pam_chauthtok */
129
/* The password service should only update those passwords that have
130
* aged. If this flag is not passed, the password service should
131
* update all passwords. */
132
#define PAM_CHANGE_EXPIRED_AUTHTOK 0x0020U
134
/* ------------------ The Linux-PAM item types ------------------- */
136
/* these defines are used by pam_set_item() and pam_get_item() */
138
#define PAM_SERVICE 1 /* The service name */
139
#define PAM_USER 2 /* The user name */
140
#define PAM_TTY 3 /* The tty name */
141
#define PAM_RHOST 4 /* The remote host name */
142
#define PAM_CONV 5 /* The pam_conv structure */
144
/* missing entries found in <security/pam_modules.h> for modules only! */
146
#define PAM_RUSER 8 /* The remote user name */
147
#define PAM_USER_PROMPT 9 /* the prompt for getting a username */
148
#define PAM_FAIL_DELAY 10 /* app supplied function to override failure
151
/* ---------- Common Linux-PAM application/module PI ----------- */
153
extern int pam_set_item(pam_handle_t *pamh, int item_type, const void *item);
154
extern int pam_get_item(const pam_handle_t *pamh, int item_type,
156
extern const char *pam_strerror(pam_handle_t *pamh, int errnum);
158
extern int pam_putenv(pam_handle_t *pamh, const char *name_value);
159
extern const char *pam_getenv(pam_handle_t *pamh, const char *name);
160
extern char **pam_getenvlist(pam_handle_t *pamh);
162
/* ---------- Common Linux-PAM application/module PI ----------- */
165
* here are some proposed error status definitions for the
166
* 'error_status' argument used by the cleanup function associated
167
* with data items they should be logically OR'd with the error_status
168
* of the latest return from libpam -- new with .52 and positive
169
* impression from Sun although not official as of 1996/9/4
170
* [generally the other flags are to be found in pam_modules.h]
173
#define PAM_DATA_SILENT 0x40000000 /* used to suppress messages... */
176
* here we define an externally (by apps or modules) callable function
177
* that primes the libpam library to delay when a stacked set of
178
* modules results in a failure. In the case of PAM_SUCCESS this delay
181
* Note, the pam_[gs]et_item(... PAM_FAIL_DELAY ...) can be used to set
182
* a function pointer which can override the default fail-delay behavior.
183
* This item was added to accommodate event driven programs that need to
184
* manage delays more carefully. The function prototype for this data
186
* void (*fail_delay)(int status, unsigned int delay, void *appdata_ptr);
189
#define HAVE_PAM_FAIL_DELAY
190
extern int pam_fail_delay(pam_handle_t *pamh, unsigned int musec_delay);
195
# define LOG_AUTHPRIV LOG_PRIV
196
# endif /* LOG_PRIV */
197
#endif /* !LOG_AUTHPRIV */
201
* this defines some macros that keep track of what memory has been
202
* allocated and indicates leakage etc... It should not be included in
203
* production application/modules.
205
#include <security/pam_malloc.h>
208
/* ------------ The Linux-PAM conversation structures ------------ */
212
#define PAM_PROMPT_ECHO_OFF 1
213
#define PAM_PROMPT_ECHO_ON 2
214
#define PAM_ERROR_MSG 3
215
#define PAM_TEXT_INFO 4
217
/* Linux-PAM specific types */
219
#define PAM_RADIO_TYPE 5 /* yes/no/maybe conditionals */
221
/* This is for server client non-human interaction.. these are NOT
222
part of the X/Open PAM specification. */
224
#define PAM_BINARY_PROMPT 7
226
/* maximum size of messages/responses etc.. (these are mostly
227
arbitrary so Linux-PAM should handle longer values). */
229
#define PAM_MAX_NUM_MSG 32
230
#define PAM_MAX_MSG_SIZE 512
231
#define PAM_MAX_RESP_SIZE 512
233
/* Used to pass prompting text, error messages, or other informatory
234
* text to the user. This structure is allocated and freed by the PAM
235
* library (or loaded module). */
242
/* if the pam_message.msg_style = PAM_BINARY_PROMPT
243
the 'pam_message.msg' is a pointer to a 'const *' for the following
244
pseudo-structure. When used with a PAM_BINARY_PROMPT, the returned
245
pam_response.resp pointer points to an object with the following
249
u32 length; # network byte order
251
unsigned char data[length-5];
254
The 'libpamc' library is designed around this flavor of
255
message and should be used to handle this flavor of msg_style.
258
/* Used to return the user's response to the PAM library. This
259
structure is allocated by the application program, and free()'d by
260
the Linux-PAM library (or calling module). */
262
struct pam_response {
264
int resp_retcode; /* currently un-used, zero expected */
267
/* The actual conversation structure itself */
270
int (*conv)(int num_msg, const struct pam_message **msg,
271
struct pam_response **resp, void *appdata_ptr);
277
* the following few lines represent a hack. They are there to make
278
* the Linux-PAM headers more compatible with the Sun ones, which have a
279
* less strictly separated notion of module specific and application
280
* specific definitions.
282
#include <security/pam_appl.h>
283
#include <security/pam_modules.h>
287
/* ... adapted from the pam_appl.h file created by Theodore Ts'o and
289
* Copyright Theodore Ts'o, 1996. All rights reserved.
290
* Copyright (c) Andrew G. Morgan <morgan@linux.kernel.org>, 1996-8
292
* Redistribution and use in source and binary forms, with or without
293
* modification, are permitted provided that the following conditions
295
* 1. Redistributions of source code must retain the above copyright
296
* notice, and the entire permission notice in its entirety,
297
* including the disclaimer of warranties.
298
* 2. Redistributions in binary form must reproduce the above copyright
299
* notice, this list of conditions and the following disclaimer in the
300
* documentation and/or other materials provided with the distribution.
301
* 3. The name of the author may not be used to endorse or promote
302
* products derived from this software without specific prior
303
* written permission.
305
* ALTERNATIVELY, this product may be distributed under the terms of
306
* the GNU Public License, in which case the provisions of the GPL are
307
* required INSTEAD OF the above restrictions. (This clause is
308
* necessary due to a potential bad interaction between the GPL and
309
* the restrictions contained in a BSD-style copyright.)
311
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
312
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
313
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
314
* DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
315
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
316
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
317
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
318
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
319
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
320
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
321
* OF THE POSSIBILITY OF SUCH DAMAGE. */
323
#endif /* _SECURITY__PAM_TYPES_H */