3. PAM Configuration File FormatEach PAM configuration file contains a group of directives formatted as follows: interface> flag>Each of these elements are explained in the subsequent sections.3.1. Module InterfaceThere are four types of PAM module interfaces which correlate to different aspects of theauthorization process:• auth — This module interface authenticates use. For example, it asks for and verifies thevalidity of a password. Modules with this interface can also set credentials, such as groupmemberships or Kerberos tickets.• account — This module interface verifies that access is allowed. For example, it may check ifa user account is expired or is allowed to log in at a particular time of day.• password — This module interface sets and verifies passwords.• session — This module interface configures and manages user sessions. Modules with thisinterface can also perform additional tasks that are needed to allow access, like mounting auser's home directory and making the user's mailbox available.NoteAn individual module can provide any or all module interfaces. For instance,pam_unix.so provides all four module interfaces.In a PAM configuration file, the module interface is the first field defined. For example, a typicalline in a configuration may look like this:auth required pam_unix.soThis instructs PAM to use the pam_unix.so module's auth interface.3.1.1. Stacking Module InterfacesModule interface directives can be stacked, or placed upon one another, so that multiplemodules are used together for one purpose. For this reason, the order in which the modules arelisted is very important to the authentication process.Chapter 16. Pluggable Authent...298
