1 2This directory contains configuration files for the Pluggable 3Authentication Modules (PAM) library. 4 5Each file details the module chain for a single service, and must be 6named after that service. If no configuration file is found for a 7particular service, the /etc/pam.d/other is used instead. If that 8file does not exist, /etc/pam.conf is searched for entries matching 9the specified service or, failing that, the "other" service. 10 11See the pam(3) manual page for an explanation of the workings of the 12PAM library and descriptions of the various files and modules. Below 13is a summary of the format for the pam.conf and /etc/pam.d/* files. 14 15Configuration lines take the following form: 16 17module-type control-flag module-path arguments 18 19Comments are introduced with a hash mark ('#'). Blank lines and lines 20consisting entirely of comments are ignored. 21 22The meanings of the different fields are as follows: 23 24 module-type: 25 auth: prompt for a password to authenticate that the user is 26 who they say they are, and set any credentials. 27 account: non-authentication based authorization, based on time, 28 resources, etc. 29 session: housekeeping before and/or after login. 30 password: update authentication tokens. 31 32 control-flag: How libpam handles success or failure of the module. 33 required: success is required; on failure all remaining 34 modules are run, but the request will be denied. 35 requisite: success is required, and on failure no remaining 36 modules are run. 37 sufficient: success is sufficient, and if no previous required 38 module failed, no remaining modules are run. 39 binding: success is sufficient; on failure all remaining 40 modules are run, but the request will be denied. 41 optional: ignored unless the other modules return PAM_IGNORE. 42 43 arguments: Module-specific options, plus some generic ones: 44 debug: syslog debug info. 45 no_warn: return no warning messages to the application. 46 Remove this to feed back to the user the 47 reason(s) they are being rejected. 48 use_first_pass: try authentication using password from the 49 preceding auth module. 50 try_first_pass: first try authentication using password from 51 the preceding auth module, and if that fails 52 prompt for a new password. 53 use_mapped_pass: convert cleartext password to a crypto key. 54 expose_account: allow printing more info about the user when 55 prompting. 56 57Note that having a "sufficient" module as the last entry for a 58particular service and module type may result in surprising behaviour. 59To get the intended semantics, add a "required" entry listing the 60pam_deny module at the end of the chain. 61