The main configuration file for PAM is /etc/pam.conf and the /etc/pam.d/ directory contains the PAM configuration files for each PAM-aware application/services.

PAM will ignore the file if the directory exists.

The syntax for the main configuration file is as follows.

The file is made up of a list of rules written on a single line (you can extend rules using the “\” escape character) and comments are preceded with “#” marks and extend to the next end of line.

The format of each rule is a space separated collection of tokens (the first three are case-insensitive).

We will explain the these tokens in subsequent sections.

service type control-flag module module-arguments

where:

• service: actual application name.
• type: module type/context/interface.
• control-flag: indicates the behavior of the PAM-API should the module fail to succeed in its authentication task.
• module: the absolute filename or relative pathname of the PAM.
• module-arguments: space separated list of tokens for controlling module behavior.

The syntax of each file in /etc/pam.d/ is similar to that of the main file and is made up of lines of the following form:

`
type control-flag module module-arguments

This is a example of a rule definition (without module-arguments) found in the /etc/pam.d/sshd file, which disallows non-root logins when /etc/nologin exists:

account required pam_nologin.so