| 1 | /* |
|---|---|
| 2 | * <security/_pam_types.h> |
| 3 | * |
| 4 | * This file defines all of the types common to the Linux-PAM library |
| 5 | * applications and modules. |
| 6 | * |
| 7 | * Note, the copyright+license information is at end of file. |
| 8 | */ |
| 9 | |
| 10 | #ifndef _SECURITY__PAM_TYPES_H |
| 11 | #define _SECURITY__PAM_TYPES_H |
| 12 | |
| 13 | /* This is a blind structure; users aren't allowed to see inside a |
| 14 | * pam_handle_t, so we don't define struct pam_handle here. This is |
| 15 | * defined in a file private to the PAM library. (i.e., it's private |
| 16 | * to PAM service modules, too!) */ |
| 17 | |
| 18 | typedef struct pam_handle pam_handle_t; |
| 19 | |
| 20 | /* ---------------- The Linux-PAM Version defines ----------------- */ |
| 21 | |
| 22 | /* Major and minor version number of the Linux-PAM package. Use |
| 23 | these macros to test for features in specific releases. */ |
| 24 | #define __LINUX_PAM__ 1 |
| 25 | #define __LINUX_PAM_MINOR__ 0 |
| 26 | |
| 27 | /* ----------------- The Linux-PAM return values ------------------ */ |
| 28 | |
| 29 | #define PAM_SUCCESS 0 /* Successful function return */ |
| 30 | #define PAM_OPEN_ERR 1 /* dlopen() failure when dynamically */ |
| 31 | /* loading a service module */ |
| 32 | #define PAM_SYMBOL_ERR 2 /* Symbol not found */ |
| 33 | #define PAM_SERVICE_ERR 3 /* Error in service module */ |
| 34 | #define PAM_SYSTEM_ERR 4 /* System error */ |
| 35 | #define PAM_BUF_ERR 5 /* Memory buffer error */ |
| 36 | #define PAM_PERM_DENIED 6 /* Permission denied */ |
| 37 | #define PAM_AUTH_ERR 7 /* Authentication failure */ |
| 38 | #define PAM_CRED_INSUFFICIENT 8 /* Can not access authentication data */ |
| 39 | /* due to insufficient credentials */ |
| 40 | #define PAM_AUTHINFO_UNAVAIL 9 /* Underlying authentication service */ |
| 41 | /* can not retrieve authentication */ |
| 42 | /* information */ |
| 43 | #define PAM_USER_UNKNOWN 10 /* User not known to the underlying */ |
| 44 | /* authenticaiton module */ |
| 45 | #define PAM_MAXTRIES 11 /* An authentication service has */ |
| 46 | /* maintained a retry count which has */ |
| 47 | /* been reached. No further retries */ |
| 48 | /* should be attempted */ |
| 49 | #define PAM_NEW_AUTHTOK_REQD 12 /* New authentication token required. */ |
| 50 | /* This is normally returned if the */ |
| 51 | /* machine security policies require */ |
| 52 | /* that the password should be changed */ |
| 53 | /* beccause the password is NULL or it */ |
| 54 | /* has aged */ |
| 55 | #define PAM_ACCT_EXPIRED 13 /* User account has expired */ |
| 56 | #define PAM_SESSION_ERR 14 /* Can not make/remove an entry for */ |
| 57 | /* the specified session */ |
| 58 | #define PAM_CRED_UNAVAIL 15 /* Underlying authentication service */ |
| 59 | /* can not retrieve user credentials */ |
| 60 | /* unavailable */ |
| 61 | #define PAM_CRED_EXPIRED 16 /* User credentials expired */ |
| 62 | #define PAM_CRED_ERR 17 /* Failure setting user credentials */ |
| 63 | #define PAM_NO_MODULE_DATA 18 /* No module specific data is present */ |
| 64 | #define PAM_CONV_ERR 19 /* Conversation error */ |
| 65 | #define PAM_AUTHTOK_ERR 20 /* Authentication token manipulation error */ |
| 66 | #define PAM_AUTHTOK_RECOVERY_ERR 21 /* Authentication information */ |
| 67 | /* cannot be recovered */ |
| 68 | #define PAM_AUTHTOK_LOCK_BUSY 22 /* Authentication token lock busy */ |
| 69 | #define PAM_AUTHTOK_DISABLE_AGING 23 /* Authentication token aging disabled */ |
| 70 | #define PAM_TRY_AGAIN 24 /* Preliminary check by password service */ |
| 71 | #define PAM_IGNORE 25 /* Ignore underlying account module */ |
| 72 | /* regardless of whether the control */ |
| 73 | /* flag is required, optional, or sufficient */ |
| 74 | #define PAM_ABORT 26 /* Critical error (?module fail now request) */ |
| 75 | #define PAM_AUTHTOK_EXPIRED 27 /* user's authentication token has expired */ |
| 76 | #define PAM_MODULE_UNKNOWN 28 /* module is not known */ |
| 77 | |
| 78 | #define PAM_BAD_ITEM 29 /* Bad item passed to pam_*_item() */ |
| 79 | #define PAM_CONV_AGAIN 30 /* conversation function is event driven |
| 80 | and data is not available yet */ |
| 81 | #define PAM_INCOMPLETE 31 /* please call this function again to |
| 82 | complete authentication stack. Before |
| 83 | calling again, verify that conversation |
| 84 | is completed */ |
| 85 | |
| 86 | /* |
| 87 | * Add new #define's here - take care to also extend the libpam code: |
| 88 | * pam_strerror() and "libpam/pam_tokens.h" . |
| 89 | */ |
| 90 | |
| 91 | #define _PAM_RETURN_VALUES 32 /* this is the number of return values */ |
| 92 | |
| 93 | |
| 94 | /* ---------------------- The Linux-PAM flags -------------------- */ |
| 95 | |
| 96 | /* Authentication service should not generate any messages */ |
| 97 | #define PAM_SILENT 0x8000U |
| 98 | |
| 99 | /* Note: these flags are used by pam_authenticate{,_secondary}() */ |
| 100 | |
| 101 | /* The authentication service should return PAM_AUTH_ERROR if the |
| 102 | * user has a null authentication token */ |
| 103 | #define PAM_DISALLOW_NULL_AUTHTOK 0x0001U |
| 104 | |
| 105 | /* Note: these flags are used for pam_setcred() */ |
| 106 | |
| 107 | /* Set user credentials for an authentication service */ |
| 108 | #define PAM_ESTABLISH_CRED 0x0002U |
| 109 | |
| 110 | /* Delete user credentials associated with an authentication service */ |
| 111 | #define PAM_DELETE_CRED 0x0004U |
| 112 | |
| 113 | /* Reinitialize user credentials */ |
| 114 | #define PAM_REINITIALIZE_CRED 0x0008U |
| 115 | |
| 116 | /* Extend lifetime of user credentials */ |
| 117 | #define PAM_REFRESH_CRED 0x0010U |
| 118 | |
| 119 | /* Note: these flags are used by pam_chauthtok */ |
| 120 | |
| 121 | /* The password service should only update those passwords that have |
| 122 | * aged. If this flag is not passed, the password service should |
| 123 | * update all passwords. */ |
| 124 | #define PAM_CHANGE_EXPIRED_AUTHTOK 0x0020U |
| 125 | |
| 126 | /* ------------------ The Linux-PAM item types ------------------- */ |
| 127 | |
| 128 | /* These defines are used by pam_set_item() and pam_get_item(). |
| 129 | Please check the spec which are allowed for use by applications |
| 130 | and which are only allowed for use by modules. */ |
| 131 | |
| 132 | #define PAM_SERVICE 1 /* The service name */ |
| 133 | #define PAM_USER 2 /* The user name */ |
| 134 | #define PAM_TTY 3 /* The tty name */ |
| 135 | #define PAM_RHOST 4 /* The remote host name */ |
| 136 | #define PAM_CONV 5 /* The pam_conv structure */ |
| 137 | #define PAM_AUTHTOK 6 /* The authentication token (password) */ |
| 138 | #define PAM_OLDAUTHTOK 7 /* The old authentication token */ |
| 139 | #define PAM_RUSER 8 /* The remote user name */ |
| 140 | #define PAM_USER_PROMPT 9 /* the prompt for getting a username */ |
| 141 | /* Linux-PAM extensions */ |
| 142 | #define PAM_FAIL_DELAY 10 /* app supplied function to override failure |
| 143 | delays */ |
| 144 | #define PAM_XDISPLAY 11 /* X display name */ |
| 145 | #define PAM_XAUTHDATA 12 /* X server authentication data */ |
| 146 | #define PAM_AUTHTOK_TYPE 13 /* The type for pam_get_authtok */ |
| 147 | |
| 148 | /* -------------- Special defines used by Linux-PAM -------------- */ |
| 149 | |
| 150 | #if defined(__GNUC__) && defined(__GNUC_MINOR__) |
| 151 | # define PAM_GNUC_PREREQ(maj, min) \ |
| 152 | ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min)) |
| 153 | #else |
| 154 | # define PAM_GNUC_PREREQ(maj, min) 0 |
| 155 | #endif |
| 156 | |
| 157 | #if PAM_GNUC_PREREQ(2,5) |
| 158 | # define PAM_FORMAT(params) __attribute__((__format__ params)) |
| 159 | #else |
| 160 | # define PAM_FORMAT(params) |
| 161 | #endif |
| 162 | |
| 163 | #if PAM_GNUC_PREREQ(3,3) && !defined(LIBPAM_COMPILE) |
| 164 | # define PAM_NONNULL(params) __attribute__((__nonnull__ params)) |
| 165 | #else |
| 166 | # define PAM_NONNULL(params) |
| 167 | #endif |
| 168 | |
| 169 | /* ---------- Common Linux-PAM application/module PI ----------- */ |
| 170 | |
| 171 | extern int PAM_NONNULL((1)) |
| 172 | pam_set_item(pam_handle_t *pamh, int item_type, const void *item); |
| 173 | |
| 174 | extern int PAM_NONNULL((1)) |
| 175 | pam_get_item(const pam_handle_t *pamh, int item_type, const void **item); |
| 176 | |
| 177 | extern const char * |
| 178 | pam_strerror(pam_handle_t *pamh, int errnum); |
| 179 | |
| 180 | extern int PAM_NONNULL((1,2)) |
| 181 | pam_putenv(pam_handle_t *pamh, const char *name_value); |
| 182 | |
| 183 | extern const char * PAM_NONNULL((1,2)) |
| 184 | pam_getenv(pam_handle_t *pamh, const char *name); |
| 185 | |
| 186 | extern char ** PAM_NONNULL((1)) |
| 187 | pam_getenvlist(pam_handle_t *pamh); |
| 188 | |
| 189 | /* ---------- Common Linux-PAM application/module PI ----------- */ |
| 190 | |
| 191 | /* |
| 192 | * here are some proposed error status definitions for the |
| 193 | * 'error_status' argument used by the cleanup function associated |
| 194 | * with data items they should be logically OR'd with the error_status |
| 195 | * of the latest return from libpam -- new with .52 and positive |
| 196 | * impression from Sun although not official as of 1996/9/4 |
| 197 | * [generally the other flags are to be found in pam_modules.h] |
| 198 | */ |
| 199 | |
| 200 | #define PAM_DATA_SILENT 0x40000000 /* used to suppress messages... */ |
| 201 | |
| 202 | /* |
| 203 | * here we define an externally (by apps or modules) callable function |
| 204 | * that primes the libpam library to delay when a stacked set of |
| 205 | * modules results in a failure. In the case of PAM_SUCCESS this delay |
| 206 | * is ignored. |
| 207 | * |
| 208 | * Note, the pam_[gs]et_item(... PAM_FAIL_DELAY ...) can be used to set |
| 209 | * a function pointer which can override the default fail-delay behavior. |
| 210 | * This item was added to accommodate event driven programs that need to |
| 211 | * manage delays more carefully. The function prototype for this data |
| 212 | * item is |
| 213 | * void (*fail_delay)(int status, unsigned int delay, void *appdata_ptr); |
| 214 | */ |
| 215 | |
| 216 | #define HAVE_PAM_FAIL_DELAY |
| 217 | extern int pam_fail_delay(pam_handle_t *pamh, unsigned int musec_delay); |
| 218 | |
| 219 | /* ------------ The Linux-PAM conversation structures ------------ */ |
| 220 | |
| 221 | /* Message styles */ |
| 222 | |
| 223 | #define PAM_PROMPT_ECHO_OFF 1 |
| 224 | #define PAM_PROMPT_ECHO_ON 2 |
| 225 | #define PAM_ERROR_MSG 3 |
| 226 | #define PAM_TEXT_INFO 4 |
| 227 | |
| 228 | /* Linux-PAM specific types */ |
| 229 | |
| 230 | #define PAM_RADIO_TYPE 5 /* yes/no/maybe conditionals */ |
| 231 | |
| 232 | /* This is for server client non-human interaction.. these are NOT |
| 233 | part of the X/Open PAM specification. */ |
| 234 | |
| 235 | #define PAM_BINARY_PROMPT 7 |
| 236 | |
| 237 | /* maximum size of messages/responses etc.. (these are mostly |
| 238 | arbitrary so Linux-PAM should handle longer values). */ |
| 239 | |
| 240 | #define PAM_MAX_NUM_MSG 32 |
| 241 | #define PAM_MAX_MSG_SIZE 512 |
| 242 | #define PAM_MAX_RESP_SIZE 512 |
| 243 | |
| 244 | /* Used to pass prompting text, error messages, or other informatory |
| 245 | * text to the user. This structure is allocated and freed by the PAM |
| 246 | * library (or loaded module). */ |
| 247 | |
| 248 | struct pam_message { |
| 249 | int msg_style; |
| 250 | const char *msg; |
| 251 | }; |
| 252 | |
| 253 | /* if the pam_message.msg_style = PAM_BINARY_PROMPT |
| 254 | the 'pam_message.msg' is a pointer to a 'const *' for the following |
| 255 | pseudo-structure. When used with a PAM_BINARY_PROMPT, the returned |
| 256 | pam_response.resp pointer points to an object with the following |
| 257 | structure: |
| 258 | |
| 259 | struct { |
| 260 | u32 length; # network byte order |
| 261 | unsigned char type; |
| 262 | unsigned char data[length-5]; |
| 263 | }; |
| 264 | |
| 265 | The 'libpamc' library is designed around this flavor of |
| 266 | message and should be used to handle this flavor of msg_style. |
| 267 | */ |
| 268 | |
| 269 | /* Used to return the user's response to the PAM library. This |
| 270 | structure is allocated by the application program, and free()'d by |
| 271 | the Linux-PAM library (or calling module). */ |
| 272 | |
| 273 | struct pam_response { |
| 274 | char *resp; |
| 275 | int resp_retcode; /* currently un-used, zero expected */ |
| 276 | }; |
| 277 | |
| 278 | /* The actual conversation structure itself */ |
| 279 | |
| 280 | struct pam_conv { |
| 281 | int (*conv)(int num_msg, const struct pam_message **msg, |
| 282 | struct pam_response **resp, void *appdata_ptr); |
| 283 | void *appdata_ptr; |
| 284 | }; |
| 285 | |
| 286 | /* Used by the PAM_XAUTHDATA pam item. Contains X authentication |
| 287 | data used by modules to connect to the user's X display. Note: |
| 288 | this structure is intentionally compatible with xcb_auth_info_t. */ |
| 289 | |
| 290 | struct pam_xauth_data { |
| 291 | int namelen; |
| 292 | char *name; |
| 293 | int datalen; |
| 294 | char *data; |
| 295 | }; |
| 296 | |
| 297 | /* ... adapted from the pam_appl.h file created by Theodore Ts'o and |
| 298 | * |
| 299 | * Copyright Theodore Ts'o, 1996. All rights reserved. |
| 300 | * Copyright (c) Andrew G. Morgan <morgan@linux.kernel.org>, 1996-8 |
| 301 | * |
| 302 | * Redistribution and use in source and binary forms, with or without |
| 303 | * modification, are permitted provided that the following conditions |
| 304 | * are met: |
| 305 | * 1. Redistributions of source code must retain the above copyright |
| 306 | * notice, and the entire permission notice in its entirety, |
| 307 | * including the disclaimer of warranties. |
| 308 | * 2. Redistributions in binary form must reproduce the above copyright |
| 309 | * notice, this list of conditions and the following disclaimer in the |
| 310 | * documentation and/or other materials provided with the distribution. |
| 311 | * 3. The name of the author may not be used to endorse or promote |
| 312 | * products derived from this software without specific prior |
| 313 | * written permission. |
| 314 | * |
| 315 | * ALTERNATIVELY, this product may be distributed under the terms of |
| 316 | * the GNU Public License, in which case the provisions of the GPL are |
| 317 | * required INSTEAD OF the above restrictions. (This clause is |
| 318 | * necessary due to a potential bad interaction between the GPL and |
| 319 | * the restrictions contained in a BSD-style copyright.) |
| 320 | * |
| 321 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED |
| 322 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
| 323 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
| 324 | * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, |
| 325 | * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
| 326 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR |
| 327 | * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 328 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| 329 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 330 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 331 | * OF THE POSSIBILITY OF SUCH DAMAGE. */ |
| 332 | |
| 333 | #endif /* _SECURITY__PAM_TYPES_H */ |
| 334 |
Generated while processing kde-workspace/kcheckpass/checkpass_pam.c
Generated on 2014-Aug-04 from project include
Powered by 
Code Browser 1.7