PAM policy
getuserpasswdpam
- Version 8.0 and earlier: getuserpasswdpam() function not available.
- Version 8.5 and later: getuserpasswdpam() function available.
Description
The getuserpasswdpam() function uses PAM password authentication on the policy server host for the specified user.
It is similar to using the getuserpasswd() function with the pampasswordservice keyword in the policy server host’s /etc/pb.settings.
When used, this policy function overrides the pampasswordservice setting in the policy server host’s settings file and works even if the PAM setting is set to no.
The getuserpasswdpam() function prompts the user for the password that belongs to the specified user on the policy server. The password is not echoed to the screen as it is typed.
Note
The user’s failure to provide the correct password does not automatically result in a rejection of the secured task request. The policy should examine the result of the getuserpasswdpam() function and respond accordingly.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = getuserpasswdpam(user, pampasswordservice[, prompt[, attempts[, name, time]]]);
Arguments
| user | Required. The user whose password must be entered. |
| pampasswordservice | Required. The name of the PAM service that you want to use for PAM password authentication and account management. |
| prompt | Optional. Extra text that appears before the PAM prompt that displays for the user. Enter a null argument ("") if you do not want to add text before the PAM prompt. |
| attempts | Optional. The number of attempts that the user has to enter the correct password. The default value for attempts is 3. |
| name | Optional. The name of a file or persistent variable whose age/expiration determines the re-authentication grace period. If the value starts with a dollar sign ($), it is treated as a persistent variable, otherwise it is treated as a file name. If name is specified, the time parameter (below) is required. |
| time | Required if name argument (above) is specified). The time/expiry date (number of seconds) after which a prompt is forced. getuserpasswdpam() returns true without prompting the user for a password if one of the following is true: - The file defined by the name argument exists, and has not been modified in the last time seconds. - The persistent variable defined by the name argument exists and its expiry date, defined by time, has not been exceeded. |
Return values
| true | Password matched. |
| false | Password did not match or invalid password service. |
Example
In this example, result contains true if the user enters the password for the runuser. If the correct password is not entered in three attempts, then the function sets result to false.
result = getuserpasswdpam(runuser, "pbulpass", "Please enter " + runuser + "'s Password: ");
Example
In this example, the file /opt/pbul/gp001 is created at initial successful user authentication and for 5 minutes (300 seconds) thereafter, the user is not prompted for a password as long as the file is not modified.
getuserpasswdpam(user, "pbulpass", "Passwd for "+user+": ", 3, "/opt/pbul/gp001", 300);
For more information, see getuserpasswdpam, submitconfirmuser, runconfirmuser, getstringpasswd, pampasswordservice, and Persistent variables.
submitconfirmuserpam
Description
The submitconfirmuserpam() function controls whether or not a user must enter a password before the current task request is accepted. Password authentication and account management is performed by PAM and name of the PAM service must be provided. When this function is set, the user submitting the request is prompted for the password that is associated with the submit host user name set in this function.
When used, this policy function overrides the pampasswordservice setting in the submit host’s settings file and works even if the PAM setting is set to no.
Note
The user’s failure to provide the correct password does not automatically result in a rejection of the secured task request. The policy should examine the result of the submitconfirmuserpam() function and respond accordingly.
Syntax
result = submitconfirmuserpam(user, pampasswordservice[, prompt[, attempts[, name, time]]]);
Arguments
| user | Required. A string that contains a user name that exists on the submit host. |
| pampasswordservice | Required. The name of the PAM service that you want to use for PAM password authentication and account management. |
| prompt | Optional. The prompt text for the password. The default is Enter password for . |
| attempts | Optional. The number of attempts that the user has to enter the correct password. The default value for attempts is 3. |
| name | Optional. The name of a persistent variable whose expiration determines the reauthenticate grace period. The value must start with a dollar sign ($), otherwise no grace period is set and submitconfirmuserpam() automatically prompts for a password. If name is specified, the time parameter (below) is required. |
| time | Required if name argument (above) is specified). The expiry date (number of seconds) after which a prompt is forced. submitconfirmuserpam() returns true without prompting the user for a password if the persistent variable, defined by the name argument, exists and its expiry date, defined by time, has not been exceeded. |
Return values
| true | Password matched. |
| false | Password did not match or invalid password service. |
Example
result = submitconfirmuserpam(user, "pbulpass", "Please enter the user's password:", 3);
if (result != 1) {reject;}
In this example,
submitconfirmuserpam(user, "pbulpass", "Passwd for "+user+": ", 3, "$gpvar5", 300);
a persistent variable gpvar5 is created at initial successful user authentication and for 5 minutes (300 seconds) thereafter, the user is not prompted for a password.
For more information, see submitconfirmuser and Persistent variables.
Updated 5 days ago