Table of Contents
Advertisement
modules with the same flag are processed before the user receives a message about
the failure of the authentication attempt.
requisite
Modules having this flag must also be processed successfully, in much the same
way as a module with the required flag. However, in case of failure a module
with this flag gives immediate feedback to the user and no further modules are
processed. In case of success, other modules are subsequently processed, just like
any modules with the required flag. The requisite flag can be used as a
basic filter checking for the existence of certain conditions that are essential for a
correct authentication.
sufficient
After a module with this flag has been successfully processed, the calling application
receives an immediate message about the success and no further modules are pro-
cessed, provided there was no preceding failure of a module with the required
flag. The failure of a module with the sufficient flag has no direct conse-
quences, in the sense that any subsequent modules are processed in their respective
order.
optional
The failure or success of a module with this flag does not have any direct conse-
quences. This can be useful for modules that are only intended to display a message
(for example, to tell the user that mail has arrived) without taking any further action.
include
If this flag is given, the file specified as argument is inserted at this place.
The module path does not need to be specified explicitly, as long as the module is lo-
cated in the default directory /lib/security (for all 64-bit platforms supported by
SUSE Linux Enterprise®, the directory is /lib64/security). The fourth column
may contain an option for the given module, such as debug (enables debugging) or
nullok (allows the use of empty passwords).
27.2 The PAM Configuration of sshd
To show how the theory behind PAM works, consider the PAM configuration of sshd
as a practical example:
Authentication with PAM
497
Advertisement
Table of Contents
Troubleshooting
