shadow/man/pw_auth.3.xml

252 lines
8.3 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
<refentry id='pw_auth.3'>
<!-- $Id: pw_auth.3.xml,v 1.17 2005/11/05 17:17:30 kloczek Exp $ -->
<refmeta>
<refentrytitle>pw_auth</refentrytitle>
<manvolnum>3</manvolnum>
<refmiscinfo class="sectdesc">Library Calls</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>pw_auth</refname>
<refpurpose>administrator defined password authentication routines</refpurpose>
</refnamediv>
<refsect1 id='syntax'>
<title>SYNTAX</title>
<para>
<emphasis>#include &lt;pwauth.h&gt;</emphasis>
</para>
<para>
<emphasis>int pw_auth (char</emphasis>
<emphasis remap='I'>*command,</emphasis>
<emphasis>char</emphasis>
<emphasis remap='I'>*user,</emphasis>
<emphasis>int</emphasis>
<emphasis remap='I'>reason,</emphasis>
<emphasis>char</emphasis>
<emphasis remap='I'>*input)</emphasis><emphasis>;</emphasis>
</para>
</refsect1>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
<emphasis>pw_auth</emphasis> invokes the administrator defined
functions for a given user.
</para>
<para>
<emphasis remap='I'>command</emphasis> is the name of the
authentication program. It is retrieved from the user's password file
information. The string contains one or more executable file names,
delimited by semi-colons. Each program will be executed in the order
given. The command line arguments are given for each of the reasons
listed below.
</para>
<para>
<emphasis remap='I'>user</emphasis> is the name of the user to be
authenticated, as given in the <filename>/etc/passwd</filename> file.
User entries are indexed by username. This allows non-unique user IDs
to be present and for each different username associated with that
user ID to have a different authentication program and information.
</para>
<para>
Each of the permissible authentication reasons is handled in a
potentially differenent manner. Unless otherwise mentioned, the
standard file descriptors 0, 1, and 2 are available for communicating
with the user. The real user ID may be used to determine the identity
of the user making the authentication request. <emphasis
remap='I'>reason</emphasis> is one of:
</para>
<variablelist remap='IP'>
<varlistentry>
<term>
<emphasis>PW_SU</emphasis>
</term>
<listitem>
<para>
Perform authentication for the current real user ID attempting
to switch real user ID to the named user. The authentication
program will be invoked with a <option>-s</option> option,
followed by the username.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<emphasis>PW_LOGIN</emphasis>
</term>
<listitem>
<para>
Perform authentication for the named user creating a new login
session. The authentication program will be invoked with a
<option>-l</option> option, followed by the username.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<emphasis>PW_ADD</emphasis>
</term>
<listitem>
<para>
Create a new entry for the named user. This allows an
authentication program to initialize storage for a new user. The
authentication program will be invoked with a
<option>-a</option> option, followed by the username.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<emphasis>PW_CHANGE</emphasis>
</term>
<listitem>
<para>
Alter an existing entry for the named user. This allows an
authentication program to alter the authentication information
for an existing user. The authentication program will be invoked
with a <option>-c</option> option, followed by the username.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<emphasis>PW_DELETE</emphasis>
</term>
<listitem>
<para>
Delete authentication information for the named user. This
allows an authentication program to reclaim storage for a user
which is no longer authenticated using the authentication
program. The authentication program will be invoked with a
<option>-d</option> option, followed by the username.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<emphasis>PW_TELNET</emphasis>
</term>
<listitem>
<para>
Authenticate a user who is connecting to the system using the
<command>telnet</command> command. The authentication program
will be invoked with a <option>-t</option> option, followed by
the username.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<emphasis>PW_RLOGIN</emphasis>
</term>
<listitem>
<para>
Authenticate a user who is connecting to the system using the
<emphasis>rlogin</emphasis> command. The
authentication program will be invoked with a
<option>-r</option> option, followed by the username.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<emphasis>PW_FTP</emphasis>
</term>
<listitem>
<para>
Authenticate a user who is connecting to the system using the
<emphasis>ftp</emphasis> command. The authentication program
will be invoked with a <option>-f</option> option, followed by
the username. The standard file descriptors are not available
for communicating with the user. The standard input file
descriptor will be connected to the parent process, while the
other two output file descriptors will be connected to
<filename>/dev/null</filename>. The <emphasis>pw_auth</emphasis>
function will pipe a single line of data to the authentication
program using file descriptor 0.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<emphasis>PW_REXEC</emphasis>
</term>
<listitem>
<para>
Authenticate a user who is connecting to the system using the
<emphasis remap='I'>rexec</emphasis> command. The authentication
program will be invoked with a <option>-x</option> option,
followed by the username. The standard file descriptors are not
available for communicating with the remote user. The standard
input file descriptor will be connected to the parent process,
while the other two output file descriptors will be connected to
<filename>/dev/null</filename>. The <emphasis>pw_auth</emphasis>
function will pipe a single line of data to the authentication
program using file descriptor 0.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
The last argument is the authentication data which is used by the
<emphasis>PW_FTP</emphasis> and <emphasis>PW_REXEC</emphasis> reasons.
It is treated as a single line of text which is piped to the
authentication program. When the reason is
<emphasis>PW_CHANGE,</emphasis> the value of <emphasis
remap='I'>input</emphasis> is the value of previous user name if the
user name is being changed.
</para>
</refsect1>
<refsect1 id='caveats'>
<title>CAVEATS</title>
<para>
This function does not create the actual session. It only indicates if
the user should be allowed to create the session.
</para>
<para>The network options are untested at this time.</para>
</refsect1>
<refsect1 id='diagnostics'>
<title>DIAGNOSTICS</title>
<para>
The <emphasis>pw_auth</emphasis> function returns 0 if the
authentication program exited with a 0 exit code, and a non-zero value
otherwise.
</para>
</refsect1>
<refsect1 id='see_also'>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>login</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>passwd</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>su</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>userdel</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>usermod</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsect1>
</refentry>