PAM Module Control Flags
All PAM modules generate a success or failure result when checked. Control flags tell PAM what do with the result. Since modules can be stacked in a particular order, control flags give you the ability to set the importance of a module in respect to the modules that follow it.
Again, consider the rlogin PAM configuration file:
auth required /lib/security/pam_nologin.so auth required /lib/security/pam_securetty.so auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_rhosts_auth.so auth required /lib/security/pam_stack.so service=system-auth |
 | Important |
|---|---|
The order in which required modules are called is not critical. The sufficient and requisite control flags is what causes order to become important. See below for an explanation of each type of control flag. |
After the module type is specified, the control flags decide how important the success or failure of that particular module should be in the overall goal of allowing access to the service.
Four types of control flags are defined by the PAM standard:
required — the module must be successfully checked in order to allow authentication. If a required module check fails, the user is not notified until all other modules of the same module type have been checked.
requisite — the module must be successfully checked in order for the authentication to be successful. However, if a requisite module check fails, the user is notified immediately with a message reflecting the first failed required or requisite module.
sufficient — the module checks are ignored if it fails. But, if a sufficient flagged module is successfully checked and no required flagged modules above it have failed, then no other modules of this module type are checked and the user is authenticated.
optional — the module checks are ignored if it fails. If the module check is successful, it does not play a role in the overall success or failure for that module type. The only time a module flagged as optional is necessary for successful authentication is when no other modules of that type have succeeded or failed. In this case, an optional module determines the overall PAM authentication for that module type.
A newer control flag syntax allowing for even more control is now available for PAM. Please see the PAM docs located in the /usr/share/doc/pam-version-number/ directory for information on this new syntax.