PAM Module Arguments

PAM uses arguments to pass information to a pluggable module during authentication for a particular module type. These arguments allow the PAM configuration files for particular programs to use a common PAM module but in different ways.

For example, the module uses secrets stored in a Berkeley DB file to authenticate the user. Berkeley DB is an open source database system designed to be embedded in many applications to track information. The module takes a db argument, specifying the Berkeley DB filename to use, which can be different for different services.

So, the line in a PAM configuration file look like this:

auth      required  /lib/security/ db=path/to/file

Invalid arguments are ignored and do not otherwise affect the success or failure of the PAM module. When an invalid argument is passed, an error is usually written to /var/log/messages file. However, since the reporting method is controlled by the PAM module, the module must be written correctly to log the error to this file.