16.3.2. Control Flag
All PAM modules generate a success or failure result when called. Control flags tell PAM what do with the result. Since modules can be stacked in a particular order, control flags decide how important the success or failure of a particular module is to the overall goal of authenticating the user to the service.
There are four predefined control flags:
required— The module result must be successful for authentication to continue. If arequiredmodule result fails, the user is not notified until results on all modules referencing that interface are completed.requisite— The module result must be successful for authentication to continue. However, if arequisitemodule result fails, the user is notified immediately with a message reflecting the first failedrequiredorrequisitemodule.sufficient— The module result is ignored if it fails. However, if asufficientflagged module result is successful and norequiredflagged modules above it have failed, then no other results are required and the user is authenticated to the service.optional— The module result is ignored. A module flagged asoptionalonly becomes necessary for successful authentication when there are no other modules referencing the interface.
Important
The order in which
required modules are called is not critical. The sufficient and requisite control flags cause order to become important.
A newer control flag syntax which allows for more precise control is now available for PAM. Please see the PAM documentation located in the
/usr/share/doc/pam-<version-number>/ directory for information on this new syntax (where <version-number> is the version number for PAM).
