Struct pam_client::Context[][src]

pub struct Context<ConvT> where
    ConvT: ConversationHandler { /* fields omitted */ }
Expand description

Main struct for PAM interaction

Manages a PAM context holding the transaction state.

See the crate documentation for examples.

Implementations

Creates a PAM context and starts a PAM transaction.

Parameters
  • service – Name of the service. The policy for the service will be read from the file /etc/pam.d/service_name, falling back to /etc/pam.conf.
  • username – Name of the target user. If None, the user will be asked through the conversation handler if neccessary.
  • conversation – A conversation handler through which the user can be asked for his username, password, etc. Use conv_cli::Conversation for a command line default implementation, conv_mock::Conversation for fixed credentials or implement the ConversationHandler trait for custom behaviour.
Errors

Expected error codes include:

  • ErrorCode::ABORT – General failure
  • ErrorCode::BUF_ERR – Memory allocation failure or null byte in parameter.
  • ErrorCode::SYSTEM_ERR – Other system error

Creates a PAM context and starts a PAM transaction taking a boxed conversation handler.

See new() for details.

Returns a reference to the conversation handler.

Returns a mutable reference to the conversation handler.

Returns raw PAM information.

If possible, use the convenience wrappers service(), user(), … instead.

Errors

Expected error codes include:

  • BAD_ITEM – Unsupported, undefined or inaccessible item
  • BUF_ERR – Memory buffer error
  • PERM_DENIED – The value was NULL/None

Updates raw PAM information.

If possible, use the convenience wrappers set_service(), set_user(), … instead.

Errors

Expected error codes include:

  • BAD_ITEM – Unsupported, undefined or inaccessible item
  • BUF_ERR – Memory buffer error
Safety

This method is unsafe. You must guarantee that the data pointed to by value matches the type the PAM library expects. E.g. a null terminated *const c_char for PAM_SERVICE or *const PamXAuthData for PAM_XAUTHDATA.

Returns the service name

Sets the service name

Returns the username of the entity under whose identity service will be given

This value can be mapped by any module in the PAM stack, so don’t assume it stays unchanged after calling other methods on Self.

Sets the username of the entity under whose identity service will be given

Returns the string used when prompting for a user’s name

Sets the string used when prompting for a user’s name

Returns the terminal name

Sets the terminal name

Returns the requesting user name

Sets the requesting user name

Returns the requesting hostname

Sets the requesting hostname

Returns the default password type in the prompt (Linux specific)

E.g. “UNIX” for “Enter UNIX password:”

Sets the default password type in the prompt (Linux specific)

Returns the name of the X display (Linux specific)

Sets the name of the X display (Linux specific)

Returns X authentication data as (name, value) pair (Linux specific).

Sets X authentication data (Linux specific).

Errors

Expected error codes include:

  • BAD_ITEM – Unsupported item
  • BUF_ERR – Memory buffer error

Returns the value of a PAM environment variable.

Searches the environment list in this PAM context for an item with key name and returns the value, if it exists.

Sets or unsets a PAM environment variable.

Modifies the environment list in this PAM context. The name_value argument can take one of the following forms:

  • NAME=value – Set a variable to a given value. If it was already set it is overwritten.
  • NAME= – Set a variable to the empty value. If it was already set it is overwritten.
  • NAME – Delete a variable, if it exists.

Returns a copy of the PAM environment in this context.

The contained variables represent the contents of the regular environment variables of the authenticated user when service is granted.

The returned EnvList type is designed to ease handing the environment to std::process::Command::envs() and nix::unistd::execve().

Authenticates a user.

The conversation handler may be called to ask the user for their name (especially if no initial username was provided), their password and possibly other tokens if e.g. two-factor authentication is required. Conversely the conversation handler may not be called if authentication is handled by other means, e.g. a fingerprint scanner.

Relevant flags are Flag::NONE, Flag::SILENT and Flag::DISALLOW_NULL_AUTHTOK (don’t authenticate empty passwords).

Errors

Expected error codes include:

  • ABORT – Serious failure; the application should exit.
  • AUTH_ERR – The user was not authenticated.
  • CRED_INSUFFICIENT – The application does not have sufficient credentials to authenticate the user.
  • AUTHINFO_UNAVAIL – Could not retrieve authentication information due to e.g. network failure.
  • MAXTRIES – At least one module reached its retry limit. Do not
  • try again.
  • USER_UNKNOWN – User not known.
  • INCOMPLETE – The conversation handler returned CONV_AGAIN. Call again after the asynchronous conversation finished.

Validates user account authorization.

Determines if the account is valid, not expired, and verifies other access restrictions. Usually used directly after authentication. The conversation handler may be called by some PAM module.

Relevant flags are Flag::NONE, Flag::SILENT and Flag::DISALLOW_NULL_AUTHTOK (demand password change on empty passwords).

Errors

Expected error codes include:

  • ACCT_EXPIRED – Account has expired.
  • AUTH_ERR – Authentication failure.
  • NEW_AUTHTOK_REQD – Password has expired. Use chauthtok() to let the user change their password or abort.
  • PERM_DENIED – Permission denied
  • USER_UNKNOWN – User not known
  • INCOMPLETE – The conversation handler returned CONV_AGAIN. Call again after the asynchronous conversation finished.

Fully reinitializes the user’s credentials (if established).

Reinitializes credentials like Kerberos tokens for when a session is already managed by another process. This is e.g. used in lockscreen applications to refresh the credentials of the desktop session.

Relevant flags are Flag::NONE and Flag::SILENT.

Errors

Expected error codes include:

  • BUF_ERR – Memory allocation error
  • CRED_ERR – Setting credentials failed
  • CRED_UNAVAIL – Failed to retrieve credentials
  • SYSTEM_ERR – Other system error
  • USER_UNKNOWN – User not known

Changes a users password.

The conversation handler will be used to request the new password and might query for the old one.

Relevant flags are Flag::NONE, Flag::SILENT and Flag::CHANGE_EXPIRED_AUTHTOK (only initiate change for expired passwords).

Errors

Expected error codes include:

  • AUTHTOK_ERR – Unable to obtain the new password
  • AUTHTOK_RECOVERY_ERR – Unable to obtain the old password
  • AUTHTOK_LOCK_BUSY – Authentication token is currently locked
  • AUTHTOK_DISABLE_AGING – Password aging is disabled (password may be unchangeable in at least one module)
  • PERM_DENIED – Permission denied
  • TRY_AGAIN – Not all modules were able to prepare an authentication token update. Nothing was changed.
  • USER_UNKNOWN – User not known
  • INCOMPLETE – The conversation handler returned CONV_AGAIN. Call again after the asynchronous conversation finished.

Sets up a user session.

Establishes user credentials and performs various tasks to prepare a login session, may create the home directory on first login, mount user-specific directories, log access times, etc. The application must usually have sufficient privileges to perform this task (e.g. have EUID 0). The returned Session object closes the session and deletes the established credentials on drop.

The user should already be authenticated and authorized at this point, but this isn’t enforced or strictly neccessary if the user was authenticated by other means. In that case the conversation handler might be called by e.g. crypt-mount modules to get a password.

Relevant flags are Flag::NONE and Flag::SILENT.

Errors

Expected error codes include:

  • ABORT – Serious failure; the application should exit
  • BUF_ERR – Memory allocation error
  • SESSION_ERR – Some session initialization failed
  • CRED_ERR – Setting credentials failed
  • CRED_UNAVAIL – Failed to retrieve credentials
  • SYSTEM_ERR – Other system error
  • USER_UNKNOWN – User not known
  • INCOMPLETE – The conversation handler returned CONV_AGAIN. Call again after the asynchronous conversation finished.

Maintains user credentials but don’t set up a full user session.

Establishes user credentials and returns a Session object that deletes the credentials on drop. It doesn’t open a PAM session.

The user should already be authenticated and authorized at this point, but this isn’t enforced or strictly neccessary.

Depending on the platform this use case may not be fully supported.

Relevant flags are Flag::NONE and Flag::SILENT.

Errors

Expected error codes include:

  • BUF_ERR – Memory allocation error
  • CRED_ERR – Setting credentials failed
  • CRED_UNAVAIL – Failed to retrieve credentials
  • SYSTEM_ERR – Other system error
  • USER_UNKNOWN – User not known

Resume a session from a SessionToken.

Swap the conversation handler.

Consumes the context, returns the new context and the old conversation handler.

Errors

Expected error codes include:

  • BAD_ITEM – Swapping the conversation handler is unsupported
  • BUF_ERR – Memory buffer error

The error payload contains the old context and the new handler.

Swap the conversation handler (boxed variant).

See replace_conversation().

Trait Implementations

Destructor ending the PAM transaction and releasing the PAM context

Executes the destructor for this type. Read more

Auto Trait Implementations

Blanket Implementations

Gets the TypeId of self. Read more

Immutably borrows from an owned value. Read more

Mutably borrows from an owned value. Read more

Performs the conversion.

Performs the conversion.

The type returned in the event of a conversion error.

Performs the conversion.

The type returned in the event of a conversion error.

Performs the conversion.