19.1 Structure of a PAM Configuration File
Each line in a PAM configuration file contains a maximum of four columns:
<Type of module> <Control flag> <Module path> <Options>
PAM modules are processed as stacks. Different types of modules have
different purposes, for example, one module checks the password, another
one verifies the location from which the system is accessed, and yet
another one reads user-specific settings. PAM knows about four different
types of modules:
The purpose of this type of module is to check the user's
authenticity. This is traditionally done by querying a password, but
it can also be achieved with the help of a chip card or through
biometrics (for example, fingerprints or iris scan).
Modules of this type check whether the user has general permission to
use the requested service. As an example, such a check should be
performed to ensure that no one can log in under the username of an
The purpose of this type of module is to enable the change of an
authentication token. In most cases, this is a password.
Modules of this type are responsible for managing and configuring user
sessions. They are started before and after authentication to register
login attempts in system logs and configure the user's specific
environment (mail accounts, home directory, system limits, etc.).
The second column contains control flags to influence the behavior of the
A module with this flag must be successfully processed before the
authentication may proceed. After the failure of a module with the
required flag, all other modules with the same flag
are processed before the user receives a message about the failure of
the authentication attempt.
Modules having this flag must also be processed successfully, in much
the same way as a module with the required flag.
However, in case of failure a module with this flag gives immediate
feedback to the user and no further modules are processed. In case of
success, other modules are subsequently processed, just like any
modules with the required flag. The
requisite flag can be used as a basic filter
checking for the existence of certain conditions that are essential
for a correct authentication.
After a module with this flag has been successfully processed, the
calling application receives an immediate message about the success
and no further modules are processed, provided there was no preceding
failure of a module with the required flag. The
failure of a module with the sufficient flag has no
direct consequences, in the sense that any subsequent modules are
processed in their respective order.
The failure or success of a module with this flag does not have any
direct consequences. This can be useful for modules that are only
intended to display a message (for example, to tell the user that mail
has arrived) without taking any further action.
If this flag is given, the file specified as argument is inserted at
The module path does not need to be specified explicitly, as long as the
module is located in the default directory
/lib/security (for all 64-bit platforms supported by
openSUSE®, the directory is /lib64/security).
The fourth column may contain an option for the given module, such as
debug (enables debugging) or nullok
(allows the use of empty passwords).
NOTE: 64-Bit and 32-Bit Mixed Installations
When using a 64-Bit operating system, it is possible to also include a
runtime environment for 32-Bit applications. In this case, make sure
that you install both versions of the respective pam modules when
installing new modules.