Documentation
¶
Overview ¶
Package pam contains all the functionality for interfacing with Linux Pluggable Authentication Modules (PAM). Currently, all this package does is check the validity of a user's login passphrase. See http://www.linux-pam.org/Linux-PAM-html/ for more information.
Index ¶
- Constants
- Variables
- func IsUserLoginToken(username string, token *crypto.Key, quiet bool) error
- type Flag
- type Handle
- func (h *Handle) ClearData(name string) error
- func (h *Handle) GetItem(i Item) (unsafe.Pointer, error)
- func (h *Handle) GetSecret(name string) (unsafe.Pointer, error)
- func (h *Handle) GetServiceName() string
- func (h *Handle) GetString(name string) (string, error)
- func (h *Handle) InfoMessage(message string)
- func (h *Handle) SetSecret(name string, secret unsafe.Pointer) error
- func (h *Handle) SetString(name string, s string) error
- func (h *Handle) StartAsPamUser() error
- func (h *Handle) StopAsPamUser() error
- type Item
- type Transaction
Constants ¶
const ( // Service is the name which identifies the PAM stack. Service Item = C.PAM_SERVICE // User identifies the username identity used by a service. User = C.PAM_USER // Tty is the terminal name. Tty = C.PAM_TTY // Rhost is the requesting host name. Rhost = C.PAM_RHOST // Authtok is the currently active authentication token. Authtok = C.PAM_AUTHTOK // Oldauthtok is the old authentication token. Oldauthtok = C.PAM_OLDAUTHTOK // Ruser is the requesting user name. Ruser = C.PAM_RUSER // UserPrompt is the string use to prompt for a username. UserPrompt = C.PAM_USER_PROMPT )
PAM Item types.
const ( // Silent indicates that no messages should be emitted. Silent Flag = C.PAM_SILENT // DisallowNullAuthtok indicates that authorization should fail // if the user does not have a registered authentication token. DisallowNullAuthtok = C.PAM_DISALLOW_NULL_AUTHTOK // EstablishCred indicates that credentials should be established // for the user. EstablishCred = C.PAM_ESTABLISH_CRED // DeleteCred inidicates that credentials should be deleted. DeleteCred = C.PAM_DELETE_CRED // ReinitializeCred indicates that credentials should be fully // reinitialized. ReinitializeCred = C.PAM_REINITIALIZE_CRED // RefreshCred indicates that the lifetime of existing credentials // should be extended. RefreshCred = C.PAM_REFRESH_CRED // ChangeExpiredAuthtok indicates that the authentication token // should be changed if it has expired. ChangeExpiredAuthtok = C.PAM_CHANGE_EXPIRED_AUTHTOK // PrelimCheck indicates that the modules are being probed as to their // ready status for altering the user's authentication token. PrelimCheck = C.PAM_PRELIM_CHECK // UpdateAuthtok informs the module that this is the call it should // change the authorization tokens. UpdateAuthtok = C.PAM_UPDATE_AUTHTOK )
PAM Flag types.
Variables ¶
var (
ErrPassphrase = errors.New("incorrect login passphrase")
)
Pam error values
Functions ¶
func IsUserLoginToken ¶
IsUserLoginToken returns nil if the presented token is the user's login key, and returns an error otherwise. Note that unless we are currently running as root, this check will only work for the user running this process.
Types ¶
type Flag ¶ added in v0.2.0
type Flag int
Flag is used as input to various PAM functions. Flags can be combined with a bitwise or. Refer to the official PAM documentation for which flags are accepted by which functions.
type Handle ¶ added in v0.2.0
type Handle struct {
// PamUser is the user for whom the PAM module is running.
PamUser *user.User
// contains filtered or unexported fields
}
Handle wraps the C pam_handle_t type. This is used from within modules.
func (*Handle) GetItem ¶ added in v0.2.0
GetItem retrieves a PAM information item. This is a pointer directly to the data, so it shouldn't be modified.
func (*Handle) GetSecret ¶ added in v0.2.0
GetSecret returns a pointer to the C string PAM data with the specified name. This is a pointer directly to the data, so it shouldn't be modified. It should have been previously set with SetSecret().
func (*Handle) GetServiceName ¶ added in v0.3.4
GetServiceName retrieves the name of the application running the PAM transaction.
func (*Handle) GetString ¶ added in v0.2.0
GetString gets a string value for the PAM data with the specified name. It should have been previously set with SetString().
func (*Handle) InfoMessage ¶ added in v0.3.2
InfoMessage sends a message to the application using pam_info().
func (*Handle) SetSecret ¶ added in v0.2.0
SetSecret sets a copy of the C string secret into the PAM data with the specified name. This copy will be held in locked memory until this PAM data is cleared.
func (*Handle) SetString ¶ added in v0.2.0
SetString sets a string value for the PAM data with the specified name.
func (*Handle) StartAsPamUser ¶ added in v0.2.1
StartAsPamUser sets the effective privileges to that of the PAM user.
func (*Handle) StopAsPamUser ¶ added in v0.2.1
StopAsPamUser restores the original privileges that were running the PAM module (this is usually root).
type Transaction ¶ added in v0.2.0
type Transaction Handle
Transaction represents a wrapped pam_handle_t type created with pam_start from an application.
func Start ¶ added in v0.2.0
func Start(service, username string) (*Transaction, error)
Start initializes a pam Transaction. End() should be called after the Transaction is no longer needed.
func (*Transaction) Authenticate ¶ added in v0.2.0
func (t *Transaction) Authenticate(quiet bool) (bool, error)
Authenticate returns a boolean indicating if the user authenticated correctly or not. If the authentication check did not complete, an error is returned.
func (*Transaction) End ¶ added in v0.2.0
func (t *Transaction) End()
End finalizes a pam Transaction with pam_end().
Source Files