pam.conf(4)

Simplified PAM.CONF configuration file

The pam.conf file contains a listing of services. Each service is paired with a corresponding service module. When a service is requested, its associated module is invoked. Each entry has the following format:

Below is an example of the pam.conf configuration file with support for authentication, account management, and session management modules.

Integrating Multiple Authentication Services With Stacking

When a service_name of the same module_type is defined more than once, the service is said to be stacked. Each module referenced in the module_path for that service is then processed in the order that it occurs in the configuration file. The control_flag field specifies the continuation and failure semantics of the modules, and may be required, optional, or sufficient.

The PAM framework processes each service module in the stack. If all required modules in the stack succeed, then success is returned (optional and sufficient error values are ignored). If one or more required modules fail, then the error value from the first required module that failed is returned.

If none of the service modules in the stack are designated as required, then the PAM framework requires that at least one optional or sufficient module succeed. If all fail then the error value from the first service module in the stack is returned.

The only exception to the above is caused by the sufficient flag. If a service module that is designated as sufficient succeeds, then the PAM framework immediately returns success to the application (all subsequent services modules, even required ones, in the stack are ignored), given that all prior required modules had also succeeded. If a prior required module failed, then the error value from that module is returned.

If a module does not exist or can not be opened, then the pam.conf entry is ignored and an error will be logged through syslog(3C) at the LOG_CRIT level.

Below is a sample configuration file that stacks the login, and dtlogin services.

In the case of login, the user is authenticated by the UNIX and inhouse authentication modules. The required keyword for control_flag requires that the user be allowed to login only if the user is authenticated by the UNIX service module. Inhouse authentication is optional by virtue of the optional keyword in the control_flag field. The user can still log in even if inhouse authentication fails.

In the case of dtlogin, the sufficient keyword for control_flag specifies that if the UNIX authentication check succeeds, then PAM should return success to dtlogin. The inhouse authentication module (the next module in the stack) will only be invoked if the UNIX authentication check fails.

Some modules may return PAM_IGNORE in certain situations. In these cases the PAM framework ignores the entire entry in pam.conf regardless of whether or not it is required, optional or sufficient.

Configuration Per User

pam.conf contains information to configure all the users on a system. But sometimes it is necessary to configure user by user. A user policy definition is made through a specific module named libpam_updbe.1. This module reads a file named /etc/pam_user.conf which describes the user's configurations.

Below is a sample configuration file (/etc/pam.conf) that uses the module libpam_updbe.1.

The module libpam_updbe.1 searches the configuration file /etc/pam_user.conf and reads the configuration associated with the login name of the current user. If there is no configuration concerning the current user in the pam_user.conf file, the PAM framework ignores the line containing libpam_updbe.1. The pam.conf applies for those users who are not configured in pam_user.conf.

Utilities and Files

A list of utilities that are known to use PAM include: login, passwd, su, and dtlogin.

The PAM configuration file does not dictate either the name or the location of the service specific modules. The convention, however, is the following: