PAM configuration file

The /etc/pam.conf configuration file consists of service entries for each PAM module type and serves to route services through a defined module path.

Entries in the file are composed of the following whitespace-delimited fields:
service_name module_type control_flag module_path module_options
The descriptions of these fields follow:
Specifies the name of the service. The keyword OTHER is used to define the default module to use for applications that are not specified in an entry.
Specifies the module type for the service. Valid module types are auth, account, session, or password. A given module will provide support for one or more module types.
Specifies the stacking behavior for the module. Supported control flags are required, requisite, sufficient, or optional.

Specifies the module to load for the service. Valid values for module_path can be specified as either the full path to the module or just the module name. If the full path to the module is specified, the PAM library uses that module_path to load for 32-bit services or uses 64 subdirectory for 64-bit services. If the full path to the module is not specified, the PAM library adds the prefix /usr/lib/security (for 32-bit services) or /usr/lib/security/64 (for 64-bit services) to the module name.

Specifies a space-delimited list of options that can be passed to the service modules. Values for this field are dependent on the options supported by the module defined in the module_path field. This field is optional.

Malformed entries or entries with incorrect values for the module_type or control_flag fields are ignored by the PAM library. Entries beginning with a number sign (#) character at the beginning of the line are also ignored because this denotes a comment.

PAM supports a concept typically referred to as "stacking", allowing multiple mechanisms to be used for each service. Stacking is implemented in the configuration file by creating multiple entries for a service with the same module_type field. The modules are invoked in the order in which they are listed in the file for a given service, with the final result determined by the control_flag field specified for each entry. Valid values for the control_flag field and the corresponding behavior in the stack are as follows:

Value for the control_flag field Behavior
required All required modules in a stack must pass for a successful result. If one or more of the required modules fail, all of the required modules in the stack will be attempted, but the error from the first failed required module is returned.
requisite Similar to required except that if a requisite module fails, no further modules in the stack are processed and it immediately returns the first failure code from a required or requisite module.
sufficient If a module flagged as sufficient succeeds and no previous required or sufficient modules have failed, all remaining modules in the stack are ignored and success is returned.
optional If none of the modules in the stack are required and no sufficient modules have succeeded, then at least one optional module for the service must succeed. If another module in the stack is successful, a failure in an optional module is ignored.
The following /etc/pam.conf subset is an example of stacking in the auth module type for the login service.
# PAM configuration file /etc/pam.conf

# Authentication Management
login   auth     required       /usr/lib/security/pam_ckfile    file=/etc/nologin
login   auth     required       /usr/lib/security/pam_aix
login   auth     optional       /usr/lib/security/pam_test      use_first_pass
OTHER   auth     required       /usr/lib/security/pam_prohibit
The example of configuration file contains three entries for the login service. Having specified both pam_ckfile and pam_aix as required, both modules will be run and both must be successful for the overall result to be successful. The third entry for the fictitious pam_test module is optional and its success or failure will not affect whether the user is able to login. The option use_first_pass to the pam_test module requires that a previously entered password be used instead of prompting for a new one.

Use of the OTHER keyword as a service name enables a default to be set for any other services that are not explicitly declared in the configuration file. Setting up a default ensures that all cases for a given module type will be covered by at least one module. In the case of this example, all services other than login will always fail since the pam_prohibit module returns a PAM failure for all invocations.