Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (NetBSD-6.1.5)
Apropos / Subsearch:
optional field

PAM.CONF(5)                   File Formats Manual                  PAM.CONF(5)

     pam.conf -- Pluggable Authentication Modules configuration file

     The pam.conf file specifies how Pluggable Authentication Modules (PAM)
     should operate.  For an overview of the Pluggable Authentication Modules
     framework, see pam(8).

     PAM may be configured using a single /etc/pam.conf configuration file or
     by using multiple configuration files, one for each PAM-aware service,
     located in the /etc/pam.d/ directory.  If /etc/pam.d/ exists,
     /etc/pam.conf will be ignored.  /etc/pam.d/ is the preferred method for
     configuring PAM.

     PAM's configuration is based on ``stacking'' different modules together
     to form a processing chain for the task.  A standard PAM configuration
     stanza is structured as follows:

           [service-name] module-type control-flag module-name [options]

     service-name is used only (and is mandatory) in /etc/pam.conf.  It
     specifies the PAM-aware service whose PAM behavior is being configured.
     When /etc/pam.d/ is used, the name of the configuration file specifies
     the service.

     module-type specifies which of the four classes of PAM module
     functionality is being configured.  These four classes are account
     (account management), auth (authentication), password (password
     management), and session (session management).

     control-flag specifies the behavior of the processing chain upon success
     or failure of the PAM module's authentication task.  The following are
     valid values for control-flag:

     binding     If the module succeeds and no earlier module in the chain has
                 failed, the chain is immediately terminated and the request
                 is granted.  If the module fails, the rest of the chain is
                 executed, but the request is ultimately denied.

     requisite   If the module returns success, continue to execute the
                 processing chain.  If the module fails, immediately return
                 the error code from the first `required' failure.

     required    If the module returns success, continue to execute the
                 processing chain.  If the module fails, record as a
                 `required' failure and continue to execute the processing
                 chain.  If there are any `required' failures in the
                 processing chain, the chain will ultimately return failure.

     optional    If the module returns success, continue to execute the
                 processing chain.  If the module fails, record as an
                 `optional' failure and continue to execute the processing

     sufficient  If the module returns success and there have been no recorded
                 `required' failures, immediately return success without
                 calling any subsequent modules in the processing chain.  If
                 the module fails, return as an `optional' failure and
                 continue to execute the processing chain.

     module-name specifies the module to execute for this stanza.  This is
     either an absolute path name or a path name relative to the default
     module location: /usr/lib/security.

     options are additional options that may be specified for the module.
     Refer to the individual modules' documentation for more information on
     available options.

     In addition to the standard configuration stanza format, there is an
     additional stanza format available when /etc/pam.d/ is used:

           module-type include service-name

     This stanza format provides a simple inheritance model for processing

     /etc/pam.conf  monolithic PAM configuration file
     /etc/pam.d/    PAM service configuration file directory

     The following auth processing chain for the ``login'' service (located in
     /etc/pam.d/login) performs the following tasks: allows the login if the
     old user and new user are the same, verifies that logins are not disabled
     using the /var/run/nologin file, allows Kerberos 5 password
     authentication, and requires standard UNIX password authentication if
     Kerberos 5 failed:

           auth    sufficient      pam_self.so
           auth    required        pam_nologin.so
           auth    sufficient      pam_krb5.so
           auth    required        pam_unix.so

     It is important to note that loading a chain will fail if any of the
     components of the chain fail to load or are not available.  A common
     situation when this can happen is on a system that where components such
     as kerberos(1) or crypto(3) have not been installed.  In that situation
     pam_krb5(8), pam_ksu(8), or pam_ssh(8) might not be present in the
     system.  In order for a chain to load properly all non-present components
     must be removed from the chain.

     login(1), passwd(1), su(1), pam(3), pam(8)

     The pam.conf file format first appeared in NetBSD 3.0.

NetBSD 6.1.5                    March 17, 2005                    NetBSD 6.1.5