PAM configuration file
The /etc/pam.conf configuration file consists of service entries for each PAM module type and serves to route services through a defined module path.
service_name module_type control_flag module_path module_options
The descriptions of these fields follow:service_name
- Specifies the name of the service. The keyword OTHER is used to define the default module to use for applications that are not specified in an entry.
module_type
- Specifies the module type for the service. Valid module types are auth, account, session, or password. A given module will provide support for one or more module types.
control_flag
- Specifies the stacking behavior for the module. Supported control flags are required, requisite, sufficient, or optional.
module_path
Specifies the module to load for the service. Valid values for
module_path
can be specified as either the full path to the module or just the module name. If the full path to the module is specified, the PAM library uses thatmodule_path
to load for 32-bit services or uses 64 subdirectory for 64-bit services. If the full path to the module is not specified, the PAM library adds the prefix /usr/lib/security (for 32-bit services) or /usr/lib/security/64 (for 64-bit services) to the module name.module_options
- Specifies a space-delimited list of options that can be passed
to the service modules. Values for this field are dependent on the
options supported by the module defined in the
module_path
field. This field is optional.
Malformed entries or entries with incorrect values for the module_type or control_flag fields are ignored by the PAM library. Entries beginning with a number sign (#) character at the beginning of the line are also ignored because this denotes a comment.
PAM supports a concept typically referred to as "stacking", allowing multiple mechanisms to be used for each service. Stacking is implemented in the configuration file by creating multiple entries for a service with the same module_type field. The modules are invoked in the order in which they are listed in the file for a given service, with the final result determined by the control_flag field specified for each entry. Valid values for the control_flag field and the corresponding behavior in the stack are as follows:
Value for the control_flag field | Behavior |
---|---|
required | All required modules in a stack must pass for a successful result. If one or more of the required modules fail, all of the required modules in the stack will be attempted, but the error from the first failed required module is returned. |
requisite | Similar to required except that if a requisite module fails, no further modules in the stack are processed and it immediately returns the first failure code from a required or requisite module. |
sufficient | If a module flagged as sufficient succeeds and no previous required or sufficient modules have failed, all remaining modules in the stack are ignored and success is returned. |
optional | If none of the modules in the stack are required and no sufficient modules have succeeded, then at least one optional module for the service must succeed. If another module in the stack is successful, a failure in an optional module is ignored. |
#
# PAM configuration file /etc/pam.conf
#
# Authentication Management
login auth required /usr/lib/security/pam_ckfile file=/etc/nologin
login auth required /usr/lib/security/pam_aix
login auth optional /usr/lib/security/pam_test use_first_pass
OTHER auth required /usr/lib/security/pam_prohibit
The example of configuration file contains three entries
for the login service. Having specified both pam_ckfile and pam_aix as required, both modules will
be run and both must be successful for the overall result to be successful.
The third entry for the fictitious pam_test module
is optional and its success or failure will not affect whether the
user is able to login. The option use_first_pass to the pam_test module requires that a previously
entered password be used instead of prompting for a new one.Use of the OTHER keyword as a service name enables a default to be set for any other services that are not explicitly declared in the configuration file. Setting up a default ensures that all cases for a given module type will be covered by at least one module. In the case of this example, all services other than login will always fail since the pam_prohibit module returns a PAM failure for all invocations.