- NetBSD Manual Pages
PAM.CONF(5) NetBSD File Formats Manual PAM.CONF(5)
Powered by man-cgi (2021-06-01).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.
pam.conf -- Pluggable Authentication Modules configuration file
The pam.conf file specifies how Pluggable Authentication Modules (PAM)
should operate. For an overview of the Pluggable Authentication Modules
framework, see pam(8).
PAM may be configured using a single /etc/pam.conf configuration file or
by using multiple configuration files, one for each PAM-aware service,
located in the /etc/pam.d/ directory. If /etc/pam.d/ exists,
/etc/pam.conf will be ignored. /etc/pam.d/ is the preferred method for
PAM's configuration is based on ``stacking'' different modules together
to form a processing chain for the task. A standard PAM configuration
stanza is structured as follows:
[service-name] module-type control-flag module-name [options]
service-name is used only (and is mandatory) in /etc/pam.conf. It speci-
fies the PAM-aware service whose PAM behavior is being configured. When
/etc/pam.d/ is used, the name of the configuration file specifies the
module-type specifies which of the four classes of PAM module functional-
ity is being configured. These four classes are account (account
management), auth (authentication), password (password management), and
session (session management).
control-flag specifies the behavior of the processing chain upon success
or failure of the PAM module's authentication task. The following are
valid values for control-flag:
binding If the module succeeds and no earlier module in the chain has
failed, the chain is immediately terminated and the request
is granted. If the module fails, the rest of the chain is
executed, but the request is ultimately denied.
requisite If the module returns success, continue to execute the pro-
cessing chain. If the module fails, immediately return the
error code from the first `required' failure.
required If the module returns success, continue to execute the pro-
cessing chain. If the module fails, record as a `required'
failure and continue to execute the processing chain. If
there are any `required' failures in the processing chain,
the chain will ultimately return failure.
optional If the module returns success, continue to execute the pro-
cessing chain. If the module fails, record as an `optional'
failure and continue to execute the processing chain.
sufficient If the module returns success and there have been no recorded
`required' failures, immediately return success without call-
ing any subsequent modules in the processing chain. If the
module fails, return as an `optional' failure and continue to
execute the processing chain.
module-name specifies the module to execute for this stanza. This is
either an absolute path name or a path name relative to the default mod-
ule location: /usr/lib/security.
options are additional options that may be specified for the module.
Refer to the individual modules' documentation for more information on
In addition to the standard configuration stanza format, there is an
additional stanza format available when /etc/pam.d/ is used:
module-type include service-name
This stanza format provides a simple inheritance model for processing
/etc/pam.conf monolithic PAM configuration file
/etc/pam.d/ PAM service configuration file directory
The following auth processing chain for the ``login'' service (located in
/etc/pam.d/login) performs the following tasks: allows the login if the
old user and new user are the same, verifies that logins are not disabled
using the /var/run/nologin file, allows Kerberos 5 password authentica-
tion, and requires standard UNIX password authentication if Kerberos 5
auth sufficient pam_self.so
auth required pam_nologin.so
auth sufficient pam_krb5.so
auth required pam_unix.so
It is important to note that loading a chain will fail if any of the com-
ponents of the chain fail to load or are not available. A common situa-
tion when this can happen is on a system that where components such as
kerberos(1) or crypto(3) have not been installed. In that situation
pam_krb5(8), pam_ksu(8), or pam_ssh(8) might not be present in the sys-
tem. In order for a chain to load properly all non-present components
must be removed from the chain.
login(1), passwd(1), su(1), pam(3), pam(8)
The pam.conf file format first appeared in NetBSD 3.0.
NetBSD 5.0 March 17, 2005 NetBSD 5.0