/*
* <security/_pam_types.h>
*
* This file defines all of the types common to the Linux-PAM library
* applications and modules.
*
* Note, the copyright+license information is at end of file.
*/
#ifndef _SECURITY__PAM_TYPES_H
#define _SECURITY__PAM_TYPES_H
/* This is a blind structure; users aren't allowed to see inside a
* pam_handle_t, so we don't define struct pam_handle here. This is
* defined in a file private to the PAM library. (i.e., it's private
* to PAM service modules, too!) */
typedef struct pam_handle pam_handle_t;
/* ---------------- The Linux-PAM Version defines ----------------- */
/* Major and minor version number of the Linux-PAM package. Use
these macros to test for features in specific releases. */
#define __LINUX_PAM__ 1
#define __LINUX_PAM_MINOR__ 0
/* ----------------- The Linux-PAM return values ------------------ */
#define PAM_SUCCESS 0 /* Successful function return */
#define PAM_OPEN_ERR 1 /* dlopen() failure when dynamically */
/* loading a service module */
#define PAM_SYMBOL_ERR 2 /* Symbol not found */
#define PAM_SERVICE_ERR 3 /* Error in service module */
#define PAM_SYSTEM_ERR 4 /* System error */
#define PAM_BUF_ERR 5 /* Memory buffer error */
#define PAM_PERM_DENIED 6 /* Permission denied */
#define PAM_AUTH_ERR 7 /* Authentication failure */
#define PAM_CRED_INSUFFICIENT 8 /* Can not access authentication data */
/* due to insufficient credentials */
#define PAM_AUTHINFO_UNAVAIL 9 /* Underlying authentication service */
/* can not retrieve authentication */
/* information */
#define PAM_USER_UNKNOWN 10 /* User not known to the underlying */
/* authenticaiton module */
#define PAM_MAXTRIES 11 /* An authentication service has */
/* maintained a retry count which has */
/* been reached. No further retries */
/* should be attempted */
#define PAM_NEW_AUTHTOK_REQD 12 /* New authentication token required. */
/* This is normally returned if the */
/* machine security policies require */
/* that the password should be changed */
/* beccause the password is NULL or it */
/* has aged */
#define PAM_ACCT_EXPIRED 13 /* User account has expired */
#define PAM_SESSION_ERR 14 /* Can not make/remove an entry for */
/* the specified session */
#define PAM_CRED_UNAVAIL 15 /* Underlying authentication service */
/* can not retrieve user credentials */
/* unavailable */
#define PAM_CRED_EXPIRED 16 /* User credentials expired */
#define PAM_CRED_ERR 17 /* Failure setting user credentials */
#define PAM_NO_MODULE_DATA 18 /* No module specific data is present */
#define PAM_CONV_ERR 19 /* Conversation error */
#define PAM_AUTHTOK_ERR 20 /* Authentication token manipulation error */
#define PAM_AUTHTOK_RECOVERY_ERR 21 /* Authentication information */
/* cannot be recovered */
#define PAM_AUTHTOK_LOCK_BUSY 22 /* Authentication token lock busy */
#define PAM_AUTHTOK_DISABLE_AGING 23 /* Authentication token aging disabled */
#define PAM_TRY_AGAIN 24 /* Preliminary check by password service */
#define PAM_IGNORE 25 /* Ignore underlying account module */
/* regardless of whether the control */
/* flag is required, optional, or sufficient */
#define PAM_ABORT 26 /* Critical error (?module fail now request) */
#define PAM_AUTHTOK_EXPIRED 27 /* user's authentication token has expired */
#define PAM_MODULE_UNKNOWN 28 /* module is not known */
#define PAM_BAD_ITEM 29 /* Bad item passed to pam_*_item() */
#define PAM_CONV_AGAIN 30 /* conversation function is event driven
and data is not available yet */
#define PAM_INCOMPLETE 31 /* please call this function again to
complete authentication stack. Before
calling again, verify that conversation
is completed */
/*
* Add new #define's here - take care to also extend the libpam code:
* pam_strerror() and "libpam/pam_tokens.h" .
*/
#define _PAM_RETURN_VALUES 32 /* this is the number of return values */
/* ---------------------- The Linux-PAM flags -------------------- */
/* Authentication service should not generate any messages */
#define PAM_SILENT 0x8000U
/* Note: these flags are used by pam_authenticate{,_secondary}() */
/* The authentication service should return PAM_AUTH_ERROR if the
* user has a null authentication token */
#define PAM_DISALLOW_NULL_AUTHTOK 0x0001U
/* Note: these flags are used for pam_setcred() */
/* Set user credentials for an authentication service */
#define PAM_ESTABLISH_CRED 0x0002U
/* Delete user credentials associated with an authentication service */
#define PAM_DELETE_CRED 0x0004U
/* Reinitialize user credentials */
#define PAM_REINITIALIZE_CRED 0x0008U
/* Extend lifetime of user credentials */
#define PAM_REFRESH_CRED 0x0010U
/* Note: these flags are used by pam_chauthtok */
/* The password service should only update those passwords that have
* aged. If this flag is not passed, the password service should
* update all passwords. */
#define PAM_CHANGE_EXPIRED_AUTHTOK 0x0020U
/* ------------------ The Linux-PAM item types ------------------- */
/* These defines are used by pam_set_item() and pam_get_item().
Please check the spec which are allowed for use by applications
and which are only allowed for use by modules. */
#define PAM_SERVICE 1 /* The service name */
#define PAM_USER 2 /* The user name */
#define PAM_TTY 3 /* The tty name */
#define PAM_RHOST 4 /* The remote host name */
#define PAM_CONV 5 /* The pam_conv structure */
#define PAM_AUTHTOK 6 /* The authentication token (password) */
#define PAM_OLDAUTHTOK 7 /* The old authentication token */
#define PAM_RUSER 8 /* The remote user name */
#define PAM_USER_PROMPT 9 /* the prompt for getting a username */
/* Linux-PAM extensions */
#define PAM_FAIL_DELAY 10 /* app supplied function to override failure
delays */
#define PAM_XDISPLAY 11 /* X display name */
#define PAM_XAUTHDATA 12 /* X server authentication data */
#define PAM_AUTHTOK_TYPE 13 /* The type for pam_get_authtok */
/* -------------- Special defines used by Linux-PAM -------------- */
#if defined(__GNUC__) && defined(__GNUC_MINOR__)
# define PAM_GNUC_PREREQ(maj, min) \
((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min))
#else
# define PAM_GNUC_PREREQ(maj, min) 0
#endif
#if PAM_GNUC_PREREQ(2,5)
# define PAM_FORMAT(params) __attribute__((__format__ params))
#else
# define PAM_FORMAT(params)
#endif
#if PAM_GNUC_PREREQ(3,3) && !defined(LIBPAM_COMPILE)
# define PAM_NONNULL(params) __attribute__((__nonnull__ params))
#else
# define PAM_NONNULL(params)
#endif
/* ---------- Common Linux-PAM application/module PI ----------- */
extern int PAM_NONNULL((1))
pam_set_item(pam_handle_t *pamh, int item_type, const void *item);
extern int PAM_NONNULL((1))
pam_get_item(const pam_handle_t *pamh, int item_type, const void **item);
extern const char *
pam_strerror(pam_handle_t *pamh, int errnum);
extern int PAM_NONNULL((1,2))
pam_putenv(pam_handle_t *pamh, const char *name_value);
extern const char * PAM_NONNULL((1,2))
pam_getenv(pam_handle_t *pamh, const char *name);
extern char ** PAM_NONNULL((1))
pam_getenvlist(pam_handle_t *pamh);
/* ---------- Common Linux-PAM application/module PI ----------- */
/*
* here are some proposed error status definitions for the
* 'error_status' argument used by the cleanup function associated
* with data items they should be logically OR'd with the error_status
* of the latest return from libpam -- new with .52 and positive
* impression from Sun although not official as of 1996/9/4
* [generally the other flags are to be found in pam_modules.h]
*/
#define PAM_DATA_SILENT 0x40000000 /* used to suppress messages... */
/*
* here we define an externally (by apps or modules) callable function
* that primes the libpam library to delay when a stacked set of
* modules results in a failure. In the case of PAM_SUCCESS this delay
* is ignored.
*
* Note, the pam_[gs]et_item(... PAM_FAIL_DELAY ...) can be used to set
* a function pointer which can override the default fail-delay behavior.
* This item was added to accommodate event driven programs that need to
* manage delays more carefully. The function prototype for this data
* item is
* void (*fail_delay)(int status, unsigned int delay, void *appdata_ptr);
*/
#define HAVE_PAM_FAIL_DELAY
extern int pam_fail_delay(pam_handle_t *pamh, unsigned int musec_delay);
/* ------------ The Linux-PAM conversation structures ------------ */
/* Message styles */
#define PAM_PROMPT_ECHO_OFF 1
#define PAM_PROMPT_ECHO_ON 2
#define PAM_ERROR_MSG 3
#define PAM_TEXT_INFO 4
/* Linux-PAM specific types */
#define PAM_RADIO_TYPE 5 /* yes/no/maybe conditionals */
/* This is for server client non-human interaction.. these are NOT
part of the X/Open PAM specification. */
#define PAM_BINARY_PROMPT 7
/* maximum size of messages/responses etc.. (these are mostly
arbitrary so Linux-PAM should handle longer values). */
#define PAM_MAX_NUM_MSG 32
#define PAM_MAX_MSG_SIZE 512
#define PAM_MAX_RESP_SIZE 512
/* Used to pass prompting text, error messages, or other informatory
* text to the user. This structure is allocated and freed by the PAM
* library (or loaded module). */
struct pam_message {
int msg_style;
const char *msg;
};
/* if the pam_message.msg_style = PAM_BINARY_PROMPT
the 'pam_message.msg' is a pointer to a 'const *' for the following
pseudo-structure. When used with a PAM_BINARY_PROMPT, the returned
pam_response.resp pointer points to an object with the following
structure:
struct {
u32 length; # network byte order
unsigned char type;
unsigned char data[length-5];
};
The 'libpamc' library is designed around this flavor of
message and should be used to handle this flavor of msg_style.
*/
/* Used to return the user's response to the PAM library. This
structure is allocated by the application program, and free()'d by
the Linux-PAM library (or calling module). */
struct pam_response {
char *resp;
int resp_retcode; /* currently un-used, zero expected */
};
/* The actual conversation structure itself */
struct pam_conv {
int (*conv)(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr);
void *appdata_ptr;
};
/* Used by the PAM_XAUTHDATA pam item. Contains X authentication
data used by modules to connect to the user's X display. Note:
this structure is intentionally compatible with xcb_auth_info_t. */
struct pam_xauth_data {
int namelen;
char *name;
int datalen;
char *data;
};
/* ... adapted from the pam_appl.h file created by Theodore Ts'o and
*
* Copyright Theodore Ts'o, 1996. All rights reserved.
* Copyright (c) Andrew G. Morgan <morgan@linux.kernel.org>, 1996-8
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, and the entire permission notice in its entirety,
* including the disclaimer of warranties.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior
* written permission.
*
* ALTERNATIVELY, this product may be distributed under the terms of
* the GNU Public License, in which case the provisions of the GPL are
* required INSTEAD OF the above restrictions. (This clause is
* necessary due to a potential bad interaction between the GPL and
* the restrictions contained in a BSD-style copyright.)
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE. */
#endif /* _SECURITY__PAM_TYPES_H */