Each line of the preceding sample code represents a rule for PAM to follow when authenticating a user for this service. The contents of each line are broken down into the following fields:
– Type is the management group to which a rule corresponds. It is used to specify with which of the management groups the module is to be associated. Valid entries are account, auth, password, and session, as described in the earlier section, “PAM Management Groups.”
– Control specifies the behavior of the PAM API if the module fails to authenticate. Valid control values are as follows: requisite: Failure of the PAM module results in the authentication process immediately being terminated. required: Failure of the PAM module ultimately causes the PAM API to return failure, but only after the remaining modules have been invoked. sufficient: Success of the PAM module satisfies the authentication requirements of the stack of modules. (If a prior required module has failed, the success of this one is ignored.) optional: The success or failure of this module is important only if it is the only module in the stack associated with this service and type.
– module-path: Either the full filename of the PAM to be used by the application (if it begins with a /), or a relative pathname from the default module location of /usr/lib/ pam/. You can also supply modules, on a per-module basis, with arguments to influence their behavior.