/etc/pam.d/ are configurations for PAM stacks. The generic syntax of a line
in those files is:
management_group control_flag module [options]
control_flag further in this article.
module is the name of the PAM file to be used. The
not required, and are either generic ones or module-specific.
The value of
management_group can be one of:
account(for account management)
session(for session management)
password(for password managemet)
auth group is used for user authentication, and is mostly used by
login for CLI authentication or XDM or similar for logging
in to a desktop environment.
passwd group is used for user password management, and is most
likely utilized by tools like
session group manages user sessions. It may verify the existence
of a user's home directory or even create it if it does not exist, it
can mount partitions that are specific to a user, etc. It will also
clean up the user's session after he/she has logged out.
The value of
control_flag can be one of:
requisite flag makes a check necessary but not enough. This means
requisite check must succeed for the stack to go on, but
the success of the entire stack depends on further checks. In
IF SUCCESS: GOTO NEXT LINE ELSE: FAIL
required flag makes a check necessary for the success of the
entire stack, while it allows for the execution of the next checks. In
IF SUCCESS: GOTO NEXT LINE ELSE: GOTO NEXT LINE FINALLY: FAIL
sufficient flag makes a check stop the execution of the stack if
that check succeeds, otherwise execution continues. In pseudocode:
IF SUCCESS: STOP STACK EXECUTION ELSE: GOTO NEXT LINE
optional flag does not affect the execution of the stack, unless
the check is the last one in the stack, in which case the success of
the entire stack is the same as the success of the last check. In
IF SUCCESS: GOTO NEXT LINE ELSE: GOTO NEXT LINE
Note that the pseudocode above does not include the exception that
happens when the
optional check is that last in the stack.