man7.org > Linux > man-pages

Linux/UNIX system programming training

pam_get_authtok(3) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | RETURN VALUES | SEE ALSO | STANDARDS | COLOPHON 

PAM_GET_AUTHTOK(3)           Linux-PAM Manual          PAM_GET_AUTHTOK(3)

NAME         top

       pam_get_authtok, pam_get_authtok_verify, pam_get_authtok_noverify
       - get authentication token

SYNOPSIS         top

       #include <security/pam_ext.h>

       int pam_get_authtok(pam_handle_t *pamh, int item,
                           const char **authtok, const char *prompt);

       int pam_get_authtok_noverify(pam_handle_t *pamh,
                                    const char **authtok,
                                    const char *prompt);

       int pam_get_authtok_verify(pam_handle_t *pamh,
                                  const char **authtok,
                                  const char *prompt);

DESCRIPTION         top

       The pam_get_authtok function returns the cached authentication
       token, or prompts the user if no token is currently cached. It is
       intended for internal use by Linux-PAM and PAM service modules.
       Upon successful return, authtok contains a pointer to the value of
       the authentication token. Note, this is a pointer to the actual
       data and should not be free()'ed or over-written!

       The prompt argument specifies a prompt to use if no token is
       cached. If a NULL pointer is given, pam_get_authtok uses
       pre-defined prompts.

       The following values are supported for item:

       PAM_AUTHTOK
           Returns the current authentication token. Called from
           pam_sm_chauthtok(3) pam_get_authtok will ask the user to
           confirm the new token by retyping it. If a prompt was
           specified, "Retype" will be used as prefix.

       PAM_OLDAUTHTOK
           Returns the previous authentication token when changing
           authentication tokens.

       The pam_get_authtok_noverify function can only be used for
       changing the password (from pam_sm_chauthtok(3)). It returns the
       cached authentication token, or prompts the user if no token is
       currently cached. The difference to pam_get_authtok is, that this
       function does not ask a second time for the password to verify it.
       Upon successful return, authtok contains a pointer to the value of
       the authentication token. Note, this is a pointer to the actual
       data and should not be free()'ed or over-written!

       The pam_get_authtok_verify function can only be used to verify a
       password for mistypes gotten by pam_get_authtok_noverify(3). This
       function asks a second time for the password and verify it with
       the password provided by authtok argument. In case of an error,
       the value of authtok is undefined. Else this argument will point
       to the actual data and should not be free()'ed or over-written!

OPTIONS         top

       pam_get_authtok honours the following module options:

       try_first_pass
           Before prompting the user for their password, the module first
           tries the previous stacked module's password in case that
           satisfies this module as well.

       use_first_pass
           The argument use_first_pass forces the module to use a
           previous stacked modules password and will never prompt the
           user - if no password is available or the password is not
           appropriate, the user will be denied access.

       use_authtok
           When password changing enforce the module to set the new token
           to the one provided by a previously stacked password module.
           If no token is available token changing will fail.

       authtok_type=XXX
           The default action is for the module to use the following
           prompts when requesting passwords: "New UNIX password: " and
           "Retype UNIX password: ". The example word UNIX can be
           replaced with this option, by default it is empty.

RETURN VALUES         top

       PAM_AUTH_ERR
           Authentication token could not be retrieved.

       PAM_AUTHTOK_ERR
           New authentication could not be retrieved.

       PAM_SUCCESS
           Authentication token was successfully retrieved.

       PAM_SYSTEM_ERR
           No space for an authentication token was provided.

       PAM_TRY_AGAIN
           New authentication tokens mismatch.

SEE ALSO         top

       pam(8)

STANDARDS         top

       The pam_get_authtok function is a Linux-PAM extensions.

COLOPHON         top

       This page is part of the linux-pam (Pluggable Authentication
       Modules for Linux) project.  Information about the project can be
       found at ⟨http://www.linux-pam.org/⟩.  If you have a bug report
       for this manual page, see ⟨//www.linux-pam.org/⟩.  This page was
       obtained from the project's upstream Git repository
       ⟨https://github.com/linux-pam/linux-pam.git⟩ on 2023-12-22.  (At
       that time, the date of the most recent commit that was found in
       the repository was 2023-12-18.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there is
       a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       [email protected]

Linux-PAM Manual                12/22/2023             PAM_GET_AUTHTOK(3)

Pages that refer to this page: pam_get_authtok(3)pam_get_item(3)pam_set_item(3)pam_pwhistory(8)pam_systemd_loadkey(8)

HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface.

For details of in-depth Linux/UNIX system programming training courses that I teach, look here.

Hosting by jambit GmbH.

Cover of TLPI