pam_set_item (3pam) manual page

Table of Contents


pam_set_item, pam_get_item - authentication information routines for PAM


cc [ flag ... ] file ... -lpam [ library ... ] #include <security/pam_appl.h>

int pam_set_item(pam_handle_t *pamh, int item_type, const void *item);

int pam_get_item(const pam_handle_t *pamh, int item_type, void **item);


The pam_get_item() and pam_set_item() functions allow applications and PAM service modules to access and to update PAM information as needed. The information is specified by item_type, and can be one of the following:

The user authentication token.

The pam_conv structure.

The old user authentication token.

A semicolon-separated list of key=value pairs that represent the set of resource controls for application by pam_setcred(3PAM) or pam_open_session(3PAM) . See the individual service module definitions, such as pam_unix_cred(5) , for interpretations of the keys and values.

The remote host name.

The remote user name.

The service name.

The tty name.

The user name.

The default prompt used by pam_get_user().

The repository that contains the authentication token information.

The pam_repository structure is defined as:

struct pam_repository {
char *type; /* Repository type, e.g., files, */ /* nis, ldap */ void *scope; /* Optional scope information */ size_t scope_len; /* length of scope information */ };

The item_type PAM_SERVICE can be set only by pam_start() and is readonly to both applications and service modules.

For security reasons, the item_type PAM_AUTHTOK and PAM_OLDAUTHTOK are available only to the module providers. The authentication module, account module, and session management module should treat PAM_AUTHTOK as the current authentication token and ignore PAM_OLDAUTHTOK. The password management module should treat PAM_OLDAUTHTOK as the current authentication token and PAM_AUTHTOK as the new authentication token.

The pam_set_item() function is passed the authentication handle, pamh, returned by pam_start(), a pointer to the object, item, and its type, item_type. If successful, pam_set_item() copies the item to an internal storage area allocated by the authentication module and returns PAM_SUCCESS. An item that had been previously set will be overwritten by the new value.

The pam_get_item() function is passed the authentication handle, pamh, returned by pam_start(), an item_type, and the address of the pointer, item, which is assigned the address of the requested object. The object data is valid until modified by a subsequent call to pam_set_item() for the same item_type, or unless it is modified by any of the underlying service modules. If the item has not been previously set, pam_get_item() returns a null pointer. An item retrieved by pam_get_item() should not be modified or freed. The item will be released by pam_end().

Return Values

Upon success, pam_get_item() returns PAM_SUCCESS; otherwise it returns an error code. Refer to pam(3PAM) for information on error related return values.


See attributes(5) for description of the following attributes:

tab() allbox; cw(2.750000i)| cw(2.750000i) lw(2.750000i) lw(2.750000i). ATTRIBUTE TYPEATTRIBUTE VALUE Interface Stability Stable MT-LevelMT-Safe with exceptions

The functions in libpam(3LIB) are MT-Safe only if each thread within the multithreaded application uses its own PAM handle.

See Also

libpam(3LIB) , pam(3PAM) , pam_acct_mgmt(3PAM) , pam_authenticate(3PAM) , pam_chauthtok(3PAM) , pam_get_user(3PAM) , pam_open_session(3PAM) , pam_setcred(3PAM) , pam_start(3PAM) , attributes(5) , pam_unix_cred(5)


If the PAM_REPOSITORY item_type is set and a service module does not recognize the type, the service module does not process any information, and returns PAM_IGNORE. If the PAM_REPOSITORY item_type is not set, a service module performs its default action.

Table of Contents