In response to a call to pam_chauthtok() the PAM framework calls pam_sm_chauthtok(3PAM) from the modules listed in the pam.conf(4) file. The password management provider supplies the back-end functionality for this interface function.
The pam_sm_chauthtok() function changes the authentication token associated with a particular user referenced by the authentication handle pamh.
The following flag may be passed to pam_chauthtok():
-
PAM_SILENT
- The password service should not generate any messages.
-
PAM_CHANGE_EXPIRED_AUTHTOK
- The password service should only update those passwords that have aged. If this flag is not
passed, the password service should update all passwords.
-
PAM_PRELIM_CHECK
- The password service should only perform preliminary checks. No passwords should be updated.
-
PAM_UPDATE_AUTHTOK
- The password service should update passwords.
Note that PAM_PRELIM_CHECK and PAM_UPDATE_AUTHTOK cannot be set at the same time.
Upon successful completion of the call, the authentication token of the user will be ready for change or will be changed, depending upon the flag, in accordance with the authentication scheme configured
within the system.
The argc argument represents the number of module options passed in from the configuration file pam.conf(4). The argv argument specifies the module options, which are interpreted and processed by the password management
service. Please refer to the specific module man pages for the various available options.
It is the responsibility of pam_sm_chauthtok() to determine if the new password meets certain strength requirements. pam_sm_chauthtok() may continue to re-prompt
the user (for a limited number of times) for a new password until the password entered meets the strength requirements.
Before returning, pam_sm_chauthtok() should call pam_get_item() and retrieve both PAM_AUTHTOK and PAM_OLDAUTHTOK. If both are NULL, pam_sm_chauthtok() should set them to the new and old passwords as entered by the user.
|