2 * <security/_pam_types.h>
4 * $Id: _pam_types.h,v 1.10 1997/04/05 06:52:50 morgan Exp morgan $
5 * $FreeBSD: src/contrib/libpam/libpam/include/security/_pam_types.h,v 1.1.1.1.6.2 2001/06/11 15:28:14 markm Exp $
6 * $DragonFly: src/contrib/libpam/libpam/include/security/Attic/_pam_types.h,v 1.2 2003/06/17 04:24:03 dillon Exp $
8 * This file defines all of the types common to the Linux-PAM library
9 * applications and modules.
11 * Note, the copyright+license information is at end of file.
13 * Created: 1996/3/5 by AGM
18 #ifndef _SECURITY__PAM_TYPES_H
19 #define _SECURITY__PAM_TYPES_H
22 * include local definition for POSIX - NULL
27 /* This is a blind structure; users aren't allowed to see inside a
28 * pam_handle_t, so we don't define struct pam_handle here. This is
29 * defined in a file private to the PAM library. (i.e., it's private
30 * to PAM service modules, too!) */
32 typedef struct pam_handle pam_handle_t;
34 /* ----------------- The Linux-PAM return values ------------------ */
36 #define PAM_SUCCESS 0 /* Successful function return */
37 #define PAM_OPEN_ERR 1 /* dlopen() failure when dynamically */
38 /* loading a service module */
39 #define PAM_SYMBOL_ERR 2 /* Symbol not found */
40 #define PAM_SERVICE_ERR 3 /* Error in service module */
41 #define PAM_SYSTEM_ERR 4 /* System error */
42 #define PAM_BUF_ERR 5 /* Memory buffer error */
43 #define PAM_PERM_DENIED 6 /* Permission denied */
44 #define PAM_AUTH_ERR 7 /* Authentication failure */
45 #define PAM_CRED_INSUFFICIENT 8 /* Can not access authentication data */
46 /* due to insufficient credentials */
47 #define PAM_AUTHINFO_UNAVAIL 9 /* Underlying authentication service */
48 /* can not retrieve authenticaiton */
50 #define PAM_USER_UNKNOWN 10 /* User not known to the underlying */
51 /* authenticaiton module */
52 #define PAM_MAXTRIES 11 /* An authentication service has */
53 /* maintained a retry count which has */
54 /* been reached. No further retries */
55 /* should be attempted */
56 #define PAM_NEW_AUTHTOK_REQD 12 /* New authentication token required. */
57 /* This is normally returned if the */
58 /* machine security policies require */
59 /* that the password should be changed */
60 /* beccause the password is NULL or it */
62 #define PAM_ACCT_EXPIRED 13 /* User account has expired */
63 #define PAM_SESSION_ERR 14 /* Can not make/remove an entry for */
64 /* the specified session */
65 #define PAM_CRED_UNAVAIL 15 /* Underlying authentication service */
66 /* can not retrieve user credentials */
68 #define PAM_CRED_EXPIRED 16 /* User credentials expired */
69 #define PAM_CRED_ERR 17 /* Failure setting user credentials */
70 #define PAM_NO_MODULE_DATA 18 /* No module specific data is present */
71 #define PAM_CONV_ERR 19 /* Conversation error */
72 #define PAM_AUTHTOK_ERR 20 /* Authentication token manipulation error */
73 #define PAM_AUTHTOK_RECOVER_ERR 21 /* Authentication information */
74 /* cannot be recovered */
75 #define PAM_AUTHTOK_LOCK_BUSY 22 /* Authentication token lock busy */
76 #define PAM_AUTHTOK_DISABLE_AGING 23 /* Authentication token aging disabled */
77 #define PAM_TRY_AGAIN 24 /* Preliminary check by password service */
78 #define PAM_IGNORE 25 /* Ingore underlying account module */
79 /* regardless of whether the control */
80 /* flag is required, optional, or sufficient */
81 #define PAM_ABORT 26 /* Critical error (?module fail now request) */
82 #define PAM_AUTHTOK_EXPIRED 27 /* user's authentication token has expired */
83 #define PAM_MODULE_UNKNOWN 28 /* module is not known */
85 #define PAM_BAD_ITEM 29 /* Bad item passed to pam_*_item() */
86 #define PAM_CONV_AGAIN 30 /* conversation function is event driven
87 and data is not available yet */
88 #define PAM_INCOMPLETE 31 /* please call this function again to
89 complete authentication stack. Before
90 calling again, verify that conversation
93 /* Add new #define's here */
95 #define _PAM_RETURN_VALUES 32 /* this is the number of return values */
98 /* ---------------------- The Linux-PAM flags -------------------- */
100 /* Authentication service should not generate any messages */
101 #define PAM_SILENT 0x8000U
103 /* Note: these flags are used by pam_authenticate{,_secondary}() */
105 /* The authentication service should return PAM_AUTH_ERROR if the
106 * user has a null authentication token */
107 #define PAM_DISALLOW_NULL_AUTHTOK 0x0001U
109 /* Note: these flags are used for pam_setcred() */
111 /* Set user credentials for an authentication service */
112 #define PAM_ESTABLISH_CRED 0x0002U
114 /* Delete user credentials associated with an authentication service */
115 #define PAM_DELETE_CRED 0x0004U
117 /* Reinitialize user credentials */
118 #define PAM_REINITIALIZE_CRED 0x0008U
120 /* Extend lifetime of user credentials */
121 #define PAM_REFRESH_CRED 0x0010U
123 /* Note: these flags are used by pam_chauthtok */
125 /* The password service should only update those passwords that have
126 * aged. If this flag is not passed, the password service should
127 * update all passwords. */
128 #define PAM_CHANGE_EXPIRED_AUTHTOK 0x0020U
130 /* ------------------ The Linux-PAM item types ------------------- */
132 /* these defines are used by pam_set_item() and pam_get_item() */
134 #define PAM_SERVICE 1 /* The service name */
135 #define PAM_USER 2 /* The user name */
136 #define PAM_TTY 3 /* The tty name */
137 #define PAM_RHOST 4 /* The remote host name */
138 #define PAM_CONV 5 /* The pam_conv structure */
140 /* missing entries found in <security/pam_modules.h> for modules only! */
142 #define PAM_RUSER 8 /* The remote user name */
143 #define PAM_USER_PROMPT 9 /* the prompt for getting a username */
144 #define PAM_FAIL_DELAY 10 /* app supplied function to override failure
146 #define PAM_LOG_STATE 11 /* ident, facility etc. logging info */
148 /* ---------- Common Linux-PAM application/module PI ----------- */
150 extern int pam_set_item(pam_handle_t *pamh, int item_type, const void *item);
151 extern int pam_get_item(const pam_handle_t *pamh, int item_type,
153 extern const char *pam_strerror(pam_handle_t *pamh, int errnum);
155 extern int pam_putenv(pam_handle_t *pamh, const char *name_value);
156 extern const char *pam_getenv(pam_handle_t *pamh, const char *name);
157 extern char **pam_getenvlist(pam_handle_t *pamh);
159 /* ---------- Common Linux-PAM application/module PI ----------- */
162 * here are some proposed error status definitions for the
163 * 'error_status' argument used by the cleanup function associated
164 * with data items they should be logically OR'd with the error_status
165 * of the latest return from libpam -- new with .52 and positive
166 * impression from Sun although not official as of 1996/9/4
167 * [generally the other flags are to be found in pam_modules.h]
170 #define PAM_DATA_SILENT 0x40000000 /* used to suppress messages... */
173 * here we define an externally (by apps or modules) callable function
174 * that primes the libpam library to delay when a stacked set of
175 * modules results in a failure. In the case of PAM_SUCCESS this delay
178 * Note, the pam_[gs]et_item(... PAM_FAIL_DELAY ...) can be used to set
179 * a function pointer which can override the default fail-delay behavior.
180 * This item was added to accommodate event driven programs that need to
181 * manage delays more carefully. The function prototype for this data
183 * void (*fail_delay)(int status, unsigned int delay);
186 #define HAVE_PAM_FAIL_DELAY
187 extern int pam_fail_delay(pam_handle_t *pamh, unsigned int musec_delay);
190 * the standard libc interface for syslog suffers from some problems.
191 * The first is that it is not thread safe. It is also three functions
192 * where PAM only really needs a "log this" function. It also does
193 * not provide modules and applications with information about whether
194 * the log is currently open or not etc... All of these things mean
195 * that we need to centralize PAM's logging facility. These two functions
196 * provide this centralization. They are, however, just a gateway to
197 * libc's openlog/syslog/closelog functions. Please note, your apps/modules
198 * will likely start to segfault if you do not use this function for
202 struct pam_log_state {
209 # include <syslog.h> /* this is a sad HACK. But we need LOG_CRIT etc.. */
212 #define PAM_LOG_STATE_IDENT "PAM"
213 #define PAM_LOG_STATE_OPTION LOG_PID
214 #define PAM_LOG_STATE_FACILITY LOG_AUTHPRIV
220 #define HAVE_PAM_SYSTEM_LOG
221 extern void pam_vsystem_log(const pam_handle_t *pamh,
222 const struct pam_log_state *log_state,
223 int priority, const char *format, va_list args);
224 extern void pam_system_log(const pam_handle_t *pamh,
225 const struct pam_log_state *log_state,
226 int priority, const char *format, ... );
230 * this defines some macros that keep track of what memory has been
231 * allocated and indicates leakage etc... It should not be included in
232 * production application/modules.
234 #include <security/pam_malloc.h>
237 /* ------------ The Linux-PAM conversation structures ------------ */
241 #define PAM_PROMPT_ECHO_OFF 1
242 #define PAM_PROMPT_ECHO_ON 2
243 #define PAM_ERROR_MSG 3
244 #define PAM_TEXT_INFO 4
246 /* Linux-PAM specific types */
248 #define PAM_RADIO_TYPE 5 /* yes/no/maybe conditionals */
250 /* This is for server client non-human interaction.. these are NOT
251 part of the X/Open PAM specification (yet although Vipin has hinted
252 that they may well be 1997/7/8) but are currently included for
253 exploritory reasons. Basically, they are for the module to obtain a
254 binary chunk of data from the client (via the server). Such data
255 is intercepted by the server and unpacked in preparation for the
258 #define PAM_BINARY_MSG 6
259 #define PAM_BINARY_PROMPT 7
261 /* maximum size of messages/responses etc.. (these are mostly
262 arbitrary so Linux-PAM should handle longer values). */
264 #define PAM_MAX_NUM_MSG 32
265 #define PAM_MAX_MSG_SIZE 512
266 #define PAM_MAX_RESP_SIZE 512
268 /* Used to pass prompting text, error messages, or other informatory
269 * text to the user. This structure is allocated and freed by the PAM
270 * library (or loaded module). */
277 /* if the pam_message.msg_style = PAM_BINARY_PROMPT
278 the 'pam_message.msg' is a pointer to a 'const *' for the following
279 pseudo-structure. When used with a PAM_BINARY_PROMPT, the returned
280 pam_response.resp pointer points to an object with the following
284 u32 length; # network byte order
285 unsigned char data[length];
288 The 'libpam_client' library is designed around this flavor of
289 message and should be used to handle this flavor of msg_style.
292 /* Used to return the user's response to the PAM library. This
293 structure is allocated by the application program, and free()'d by
294 the Linux-PAM library (or calling module). */
296 struct pam_response {
298 int resp_retcode; /* currently un-used, zero expected */
301 /* The actual conversation structure itself */
304 int (*conv)(int num_msg, const struct pam_message **msg,
305 struct pam_response **resp, void *appdata_ptr);
311 * the following few lines represent a hack. They are there to make
312 * the Linux-PAM headers more compatible with the Sun ones, which have a
313 * less strictly separated notion of module specific and application
314 * specific definitions.
316 #include <security/pam_appl.h>
317 #include <security/pam_modules.h>
321 /* ... adapted from the pam_appl.h file created by Theodore Ts'o and
323 * Copyright Theodore Ts'o, 1996. All rights reserved.
324 * Copyright (c) Andrew G. Morgan <morgan@linux.kernel.org>, 1996-8
326 * Redistribution and use in source and binary forms, with or without
327 * modification, are permitted provided that the following conditions
329 * 1. Redistributions of source code must retain the above copyright
330 * notice, and the entire permission notice in its entirety,
331 * including the disclaimer of warranties.
332 * 2. Redistributions in binary form must reproduce the above copyright
333 * notice, this list of conditions and the following disclaimer in the
334 * documentation and/or other materials provided with the distribution.
335 * 3. The name of the author may not be used to endorse or promote
336 * products derived from this software without specific prior
337 * written permission.
339 * ALTERNATIVELY, this product may be distributed under the terms of
340 * the GNU Public License, in which case the provisions of the GPL are
341 * required INSTEAD OF the above restrictions. (This clause is
342 * necessary due to a potential bad interaction between the GPL and
343 * the restrictions contained in a BSD-style copyright.)
345 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
346 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
347 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
348 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
349 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
350 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
351 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
352 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
353 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
354 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
355 * OF THE POSSIBILITY OF SUCH DAMAGE. */
357 #endif /* _SECURITY__PAM_TYPES_H */