Nowadays there are three possibilities to configure pam:
- one configuration file /etc/pam.conf (works always)
- a configuration directory /etc/pam.d/
- a configuration directory with includes
If you use one configuration file, then the service (like login or ssh or ...) is in the first column. If you use the configuration directory, then the service is the filename. The next column is one of "auth", "account", "password" or "session". A short explanation:
- auth: autentication
- account: existance and validity of the account
- password: password changes
- session: actions executed at logon and logoff
The next column is one of "required", "requisite", "sufficient", "optional" and in the case of the configuration directory with includes also "include":
- required: All lines that have the required flag must succeed. If only one fails, "false" is returned.
- requisite: If a previously executed "required" has failed, or the "requisite" module fails, it returns immediately "false". Else iexecution continues.
- sufficient: the first sufficient that returns "true" causes to return true and ignore the rest
- optional: if all other return "ignore", then a optional can cause to return "true". Otherwise it is ignored.
- include: jump to the file in the next column. Note that on older pam versions one could acheive the same using the pam_stack.so library.
On newer pam systems you can also use a extended syntax like:
[default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore]
where you can fine tune the stacking and returncodes of modules depending on the module response.
The next column is the security module that shall be used. These modules are files in the directory /lib/security. Most have manpages. You should consult these manpages to setup the options that are listed in the remaining columns.
Much theory, so let's work with examples: