oreilly.comSafari Books Online.Conferences.


Writing PAM Modules, Part Two
Pages: 1, 2, 3

The Conversation Function

An application may display a message in any number of formats. A GUI displays messages very differently from a command line interface, and both are different from a secure HTTP session or an FTP session.

PAM insulates the module developer from these issues, by requiring the application to provide a conversation function. This function takes messages from the module, presents them to the user, and provides the module with responses.

A call to pam_get_item(pamhandle, PAM_CONV, &item) produces a pointer to a conversation structure. The conversation structure contains the conversation function and a pointer that the application can use to transfer data.

struct pam_conv {
    int (*conv)(int num_msg,
        const struct pam_message **msg,
        struct pam_response **resp,
        void *appdata_ptr);
    void *appdata_ptr;

The module uses this function to pass messages to the user. The module may pass messages one at a time or as a cluster of several messages at once. The application will determine whether the messages are presented to the user as a group, or individually.

The module must create an array of pointers to pam_message structures to contain the message strings it needs the application to display. This array is the msg parameter, and each structure contains both the message and the message format. The num_msg parameter is the length of the message array.

struct pam_message {
    int msg_style;
    const char *msg;

Available message formats are:

Display an error message.

Receive a string but do not echo input.

Receive a string and echo input.
Display a message.

The application will provide an array of pam_response structures on return. The module must provide a pointer, which the application can fill with a pointer to the array. Yes, this is a complicated piece of indirection. The module provides its pointer as the resp parameter.

The module should fill this pointer with a NULL or other testable value before calling the conversation function, so it can verify that the application has changed it.

struct pam_response {
    char *resp;
    int resp_retcode;

The resp_retcode in the response structure is currently meaningless, and is usually filled with a 0.

Note that the appdata_ptr is included as the last parameter of the function -- this is important. The application uses the appdata_ptr to transfer data it may need within the function, so be sure to send it that pointer.

Aside from PAM_SUCCESS, the conversation function might return PAM_CONV_ERR.

Pages: 1, 2, 3

Next Pagearrow

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: