PAM may be configured using a single
/etc/pam.conf
configuration file or by using multiple configuration files, one for each
PAM-aware service, located in the
/etc/pam.d/
directory.
If
/etc/pam.d/
exists,
/etc/pam.conf
will be ignored.
/etc/pam.d/
is the preferred method for configuring PAM.
PAM's configuration is based on ``stacking'' different modules together to form a processing chain for the task. A standard PAM configuration stanza is structured as follows:
[service-name] module-type control-flag module-name [options]
service-name
is used only
(and is mandatory)
in
/etc/pam.conf
.
It specifies the PAM-aware service whose PAM behavior is being configured.
When
/etc/pam.d/
is used, the name of the configuration file specifies the service.
module-type specifies which of the four classes of PAM module functionality is being configured. These four classes are account (account management), auth (authentication), password (password management), and session (session management).
control-flag specifies the behavior of the processing chain upon success or failure of the PAM module's authentication task. The following are valid values for control-flag:
module-name
specifies the module to execute for this stanza.
This is either an absolute path name or a path name relative to the
default module location:
/usr/lib/security
.
options are additional options that may be specified for the module. Refer to the individual modules' documentation for more information on available options.
In addition to the standard configuration stanza format, there is
an additional stanza format available when
/etc/pam.d/
is used:
module-type include service-name
This stanza format provides a simple inheritance model for processing chains.
/etc/pam.conf
/etc/pam.d/
/etc/pam.d/login
)
performs the following tasks: allows the login if the old user
and new user are the same, verifies that logins are not disabled using
the
/var/run/nologin
file, allows Kerberos 5 password authentication, and requires standard
UNIX
password authentication if Kerberos 5 failed:
auth sufficient pam_self.so
auth required pam_nologin.so
auth sufficient pam_krb5.so
auth required pam_unix.so