The main configuration file for PAM is /etc/pam.conf and the /etc/pam.d/ directory contains the PAM configuration files for each PAM-aware application/services.

PAM will ignore the file if the directory exists.

The syntax for the main configuration file is as follows.

service type control-flag module module-arguments 

where:

• service: actual application name.
• type: module type/context/interface.
• control-flag: indicates the behavior of the PAM-API should the module fail to succeed in its authentication task.
• module: the absolute filename or relative pathname of the PAM.
• module-arguments: space separated list of tokens for controlling module behavior.

aaa \
bbb

The syntax of each file in /etc/pam.d/ is similar to that of the main file and is made up of lines of the following form:

type control-flag module module-arguments

This is a example of a rule definition (without module-arguments) found in the /etc/pam.d/sshd file, which disallows non-root logins when /etc/nologin exists:

account required pam_nologin.so

PAM authentication tasks are separated into four independent management groups.

These groups manage different aspects of a typical user’s request for a restricted service.

A module is associated to one these management group types:

• account: provide services for account verification: has the user’s password expired?; is this user permitted access to the requested service?.
• authentication: authenticate a user and set up user credentials.
• password: are responsible for updating user passwords and work together with authentication modules.
• session: manage actions performed at the beginning of a session and end of a session.

PAM loadable object files (the modules) are to be located in the following directory: /lib/security/ or /lib64/security depending on the architecture.

The supported control-flags are:

• requisite: failure instantly returns control to the application indicating the nature of the first module failure.
• required: all these modules are required to succeed for libpam to return success to the application.
• sufficient: given that all preceding modules have succeeded, the success of this module leads to an immediate and successful return to the application (failure of this module is ignored).
• optional: the success or failure of this module is generally not recorded.

In addition to the above are the keywords, there are two other valid control flags:

• include: include all lines of given type from the configuration file specified as an argument to this control.
• substack: include all lines of given type from the configuration file specified as an argument to this control.