The Linux-PAM Application Developers' Guide

Andrew G. Morgan

Thorsten Kukuk

Version 1.1.2, 31. August 2010


This manual documents what an application developer needs to know about the Linux-PAM library. It describes how an application might use the Linux-PAM library to authenticate users. In addition it contains a description of the functions to be found in libpam_misc library, that can be used in general applications. Finally, it contains some comments on PAM related security issues for the application developer.

Table of Contents

1. Introduction
1.1. Description
1.2. Synopsis
2. Overview
3. The public interface to Linux-PAM
3.1. What can be expected by the application
3.1.1. Initialization of PAM transaction
3.1.2. Termination of PAM transaction
3.1.3. Setting PAM items
3.1.4. Getting PAM items
3.1.5. Strings describing PAM error codes
3.1.6. Request a delay on failure
3.1.7. Authenticating the user
3.1.8. Setting user credentials
3.1.9. Account validation management
3.1.10. Updating authentication tokens
3.1.11. Start PAM session management
3.1.12. terminating PAM session management
3.1.13. Set or change PAM environment variable
3.1.14. Get a PAM environment variable
3.1.15. Getting the PAM environment
3.2. What is expected of an application
3.2.1. The conversation function
3.3. Programming notes
4. Security issues of Linux-PAM
4.1. Care about standard library calls
4.2. Choice of a service name
4.3. The conversation function
4.4. The identity of the user
4.5. Sufficient resources
5. A library of miscellaneous helper functions
5.1. Functions supplied
5.1.1. Text based conversation function
5.1.2. Transcribing an environment to that of PAM
5.1.3. Liberating a locally saved environment
5.1.4. BSD like PAM environment variable setting
6. Porting legacy applications
7. Glossary of PAM related terms
8. An example application
9. Files
10. See also
11. Author/acknowledgments
12. Copyright information for this document