PAM Module Control Flags

All PAM modules generate a success or failure result when checked. Control flags tell PAM what do with the result. Since modules can be stacked in a particular order, control flags give you the ability to set the importance of a module in respect to the modules that follow it.

Again, consider the rlogin PAM configuration file:

auth       required     /lib/security/
auth       required     /lib/security/
auth       required     /lib/security/
auth       sufficient   /lib/security/
auth       required     /lib/security/ service=system-auth


The order in which required modules are called is not critical. The sufficient and requisite control flags is what causes order to become important. See below for an explanation of each type of control flag.

After the module type is specified, the control flags decide how important the success or failure of that particular module should be in the overall goal of allowing access to the service.

Four types of control flags are defined by the PAM standard:

A newer control flag syntax allowing for even more control is now available for PAM. Please see the PAM docs located in the /usr/share/doc/pam-version-number/ directory for information on this new syntax.