hat PAM demands that it drives the whole
      authentication process, it is not possible to leave such protocol
      subtleties up to the PAM library.  To overcome this potential problem,
      the application provides the PAM library with a
      <span class="emphasis"><em>conversation</em></span> function.  This function is called
      from <span class="emphasis"><em>within</em></span> the PAM library and enables the PAM
      to directly interact with the client. The sorts of things that this
      conversation function must be able to do are prompt the user with
      text and/or obtain textual input from the user for processing by the
      PAM library. The details of this function are provided in a later
      section.
    </p><p>
      For example, the conversation function may be called by the PAM
      library with a request to prompt the user for a password. Its job is
      to reformat the prompt request into a form that the client will
      understand. In the case of <span class="command"><strong>ftpd</strong></span>, this might involve
      prefixing the string with the number <span class="command"><strong>331</strong></span> and sending
      the request over the network to a connected client. The conversation
      function will then obtain any reply and, after extracting the typed
      password, will return this string of text to the PAM library. Similar
      concerns need to be addressed in the case of an X-based graphical
      server.
    </p><p>
      There are a number of issues that need to be addressed when one is
      porting an existing application to become PAM compliant. A section
      below has been devoted to this: Porting legacy applications.
    </p><p>
      Besides authentication, PAM provides other forms of management.
      Session management is provided with calls to
      <code class="function">pam_open_session()</code> and
      <code class="function">pam_close_session()</code>. What these functions
      actually do is up to the local administrator. But typically, they
      could be used to log entry and exit from the system or for mounting
      and unmounting the user's home directory. If an application provides
      continuous service for a period of time, it should probably call
      these functions, first open after the user is authenticated and then
      close when the service is terminated.
    </p><p>
      Account management is another area that an application developer
      should include with a call to <code class="function">pam_acct_mgmt()</code>.
      This call will perform checks on the good health of the user's account
      (has it expired etc.). One of the things this function may check is
      whether the user's authentication token has expired - in such a case the
      application may choose to attempt to update it with a call to
      <code class="function">pam_chauthtok()</code>, although some applications
      are not suited to this task (<span class="command"><strong>ftp</strong></span> for example)
      and in this case the application should deny access to the user.
    </p><p>
      PAM is also capable of setting and deleting the user's credentials with
      the call <code class="function">pam_setcred()</code>. This function should
      always be called after the user is authenticated and before service
      is offered to the user. By convention, this should be the last call
      to the PAM library before the PAM session is opened. What exactly a
      credential is, is not well defined. However, some examples are given
      in the glossary below.
    </p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="adg-introduction-synopsis.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="adg-interface.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">1.2. Synopsis </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_ADG.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 3. 
      The public interface to <span class="emphasis"><em>Linux-PAM</em></span>
    </td></tr></table></div></body></html>