<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE>The Linux-PAM Module Writers' Guide: Generic optional arguments</TITLE>
 <LINK HREF="pam_modules-5.html" REL=next>
 <LINK HREF="pam_modules-3.html" REL=previous>
 <LINK HREF="pam_modules.html#toc4" REL=contents>
</HEAD>
<BODY>
<A HREF="pam_modules-5.html">Next</A>
<A HREF="pam_modules-3.html">Previous</A>
<A HREF="pam_modules.html#toc4">Contents</A>
<HR>
<H2><A NAME="s4">4. Generic optional arguments</A></H2>

<P>Here we list the generic arguments that all modules can expect to
be passed. They are not mandatory, and their absence should be
accepted without comment by the module.
<P>
<P>
<DL>
<DT><B><CODE>debug</CODE></B><DD><P>Use the <CODE>syslog(3)</CODE> call to log debugging information to the system
log files.
<P>
<DT><B><CODE>no_warn</CODE></B><DD><P>Instruct module to not give warning messages to the application.
<P>
<DT><B><CODE>use_first_pass</CODE></B><DD><P>The module should not prompt the user for a password. Instead, it
should obtain the previously typed password (by a call to
<CODE>pam_get_item()</CODE> for the <CODE>PAM_AUTHTOK</CODE> item), and use that. If
that doesn't work, then the user will not be authenticated. (This
option is intended for <CODE>auth</CODE> and <CODE>passwd</CODE> modules only).
<P>
<DT><B><CODE>try_first_pass</CODE></B><DD><P>The module should attempt authentication with the previously typed
password (by a call to <CODE>pam_get_item()</CODE> for the <CODE>PAM_AUTHTOK</CODE>
item). If that doesn't work, then the user is prompted for a
password. (This option is intended for <CODE>auth</CODE> modules only).
<P>
<DT><B><CODE>use_mapped_pass</CODE></B><DD><P><B>WARNING:</B> coding this functionality may cause the module writer to
break <EM>local</EM> encryption laws. For example, in the U.S. there are
restrictions on the export computer code that is capable of strong
encryption.  It has not been established whether this option is
affected by this law, but one might reasonably assume that it does
until told otherwise.  For this reason, this option is not supported
by any of the modules distributed with <B>Linux-PAM</B>.
<P>The intended function of this argument, however, is that the module
should take the existing authentication token from a previously
invoked module and use it as a key to retrieve the authentication
token for this module. For example, the module might create a strong
hash of the <CODE>PAM_AUTHTOK</CODE> item (established by a previously
executed module). Then, with logical-exclusive-or, use the result as a
<EM>key</EM> to safely store/retrieve the authentication token for this
module in/from a local file <EM>etc</EM>. .
<P>
<DT><B><CODE>expose_account</CODE></B><DD><P>
<P>In general the leakage of some information about user accounts is not
a secure policy for modules to adopt. Sometimes information such as
users names or home directories, or preferred shell, can be used to
attack a user's account. In some circumstances, however, this sort of
information is not deemed a threat: displaying a user's full name when
asking them for a password in a secured environment could also be
called being 'friendly'. The <CODE>expose_account</CODE> argument is a
standard module argument to encourage a module to be less discrete
about account information as it is deemed appropriate by the local
administrator.
<P>
</DL>
<P>
<HR>
<A HREF="pam_modules-5.html">Next</A>
<A HREF="pam_modules-3.html">Previous</A>
<A HREF="pam_modules.html#toc4">Contents</A>
</BODY>
</HTML>