Control Flags
To determine the continuation or failure behavior from a module during the authentication process, you must select one of four control flags for each entry in the PAM configuration file, /etc/pam.conf. The control flags indicate how a successful attempt or a failed attempt through each module is handled. Even though these flags apply to all module types, the following explanation assumes that these flags are being used for authentication modules. The control flags are as follows:
required - With this control flag, the module must return success in order to have the overall result be successful.
If all modules are flagged as required, then authentication through all modules must succeed for the user to be authenticated.
If some modules fail, then an error value from the first failed module is reported.
If a failure occurs for a module that is flagged as required, all modules in the stack are still tried, but failure is returned.
If none of the modules are flagged as required, then at least one entry for that service must succeed for the user to be authenticated.
requisite - With this control flag, the module must return success for additional authentication to occur.
If a failure occurs for a module that is flagged as requisite, an error is immediately returned to the application, and no additional authentication is done. If the stack does not include prior modules flagged as required that failed, then the error from this module is returned. If an earlier module flagged as required has failed, the error message from the required module is returned.
optional - If a module with this control flag fails, the overall result can be successful if another module in this stack returns success.
The optional control flag should be used when successful authentication in the stack is enough for a user to be authenticated. This flag should only be used if it is not important for this particular mechanism to succeed.
If your users need to have permission associated with a specific mechanism to get their work done, then you should not label it as optional.
sufficient - If a module with this control flag is successful, skip the remaining modules in the stack, even if they are flagged as required.
The sufficient control flag indicates that one successful authentication will be enough for the user to be granted access.
More information about these control flags is provided in the following section, which describes the default /etc/pam.conf file.
Generic pam.conf File
The generic /etc/pam.conf file specifies the following actions:
When the login command is run, authentication must succeed for the pam_authtok_get, pam_dhkeys, pam_auth_unix and the pam_dial_auth modules.
For the rlogin command, authentication through the pam_authtok_get, pam_dhkeys, and pam_auth_unix modules must succeed, if authentication through pam_rhost_auth fails.
The sufficient control flag indicates that for the rlogin command the successful authentication that is provided by the pam_rhost_auth module is sufficient, and the next entry will be ignored.
Most of the other commands that require authentication require successful authentication through the pam_authtok_get, pam_dhkeys, and pam_auth_unix modules.
For the rsh command, authentication through the pam_rhost_auth module is flagged as sufficient. No other authentication is required if authentication through the pam_rhost_auth module succeeds.
The OTHER service name allows a default to be set for any other commands that require authentication that are not included in the file. The OTHER option makes it easier to administer the file, since many commands that are using the same module can be covered by using only one entry. Also, the OTHER service name, when used as a "catch-all," can ensure that each access is covered by one module. By convention, the OTHER entry is included at the bottom of the section for each module type.
Normally, the entry for the module_path is "root-relative." If the file name you enter for module_path does not begin with a slash (/), the path /usr/lib/security/$ISA is prepended to the file name. A full path name must be used for modules that are located in other directories. The values for the module_options can be found in the man pages for the module. For example, the UNIX module is covered in the pam_unix(5) man page.
login auth required pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 |
In this example, the login service specifies authentication through all four authentication modules. A login command fails if any of the modules return an error.