pamvalidate

Copy a Netpbm file from stdin to stdout if and only if it valid; fail otherwise

$ [command] | pamvalidate > [path/to/output.ext]

pamvalidate [options]
Reads username and PIN from stdin.

-h, --help
    Display usage summary and exit

-V, --version
    Print version information and exit

-d, --debug
    Enable debug output to stderr

-c FILE, --config=FILE
    Use alternate config file instead of default

pamvalidate is a setuid-root helper program used primarily by the pam_p11 PAM module for secure PIN validation of PKCS#11 security tokens (e.g., smart cards). It reads a username on the first line of stdin and a PIN on the second line, then attempts to login to the user's configured token using the p11-kit proxy. Success returns exit code 0 and prints OK; failure returns 1. Designed to avoid exposing full token access to unprivileged processes during PAM authentication conversations. Part of the libpam-p11 package, it supports certificate-based authentication without storing plaintext PINs.

Requires setuid-root permissions (chmod 4755); insecure if misconfigured. Only validates PIN, does not perform full auth. Debug mode logs sensitive info.

echo -e "user\n123456" | pamvalidate -d
Outputs: OK (exit 0) or nothing (exit 1)

stdin must provide exactly two lines: username followed by PIN. No prompts issued.

Introduced in libpam-p11 project around 2010 for p11-kit integration. Evolved with OpenSC and p11-kit to support modern token proxies. Maintained in distributions like Fedora, Ubuntu via pam-p11 package.

pam_p11(8), p11-kit(8), pkcs11-tool(1)