The pam_nam module can be dynamically loaded to provide the necessary functionality upon demand. The pam sample file is /etc/pam.d/pam_nam_sample.
The following is an example of an entry in the configuration file for login:
auth required /lib/security/pam_nam.so
Specify the application requiring the authentication service in the first field. Specify the name of the service provided in the second field. In the third field, specify the control flag. In the fourth field, specify the name of the module providing the service.
The control flag can be of the following types:
Required: This flag is set when authentication by the module is required. If the authentication is not successful, an error message is returned to the caller, after executing all the modules in the stack.
Optional: This flag is set when authentication by the module is optional. If the module fails, the PAM framework ignores the module failure and continues with processing the next module in the sequence. If this flag is used, the user is allowed to log in, even if that particular module failed.
Sufficient: This flag is set when authentication is required only by one module. If the module succeeds, the application does not try another module. When authentication fails, the modules with flags set to Sufficient are treated as optional.
The following options can be passed to the PAM module:
use_first_pass: This option compares the password in the password database with the user's initial password (entered when the user authenticated to the first authentication module in the stack). If the passwords do not match, or if no password has been entered, the module quits and does not prompt the user for a password. This option should only be used if the authentication service is designated as optional in the files in the /etc/pam.d.nam or /etc directory.
try_first_pass: This option compares the password in the password database with the user's initial password (entered when the user authenticated to the first authentication module in the stack). If the passwords do not match, or if no password has been entered, the user is prompted for a password. When prompting for the current password, the PAM authentication module uses the following prompt:
password
However, a different prompt is used if one of the following scenarios occur:
The try_first_pass option is specified and the password entered for the first module in the stack fails for the PAM module.
The try_first_pass option is not specified, and the earlier authentication modules listed in the files in the /etc/pam.d.nam directory have prompted the user for the password.
In these two cases, the Linux User Management authentication module uses the following prompt:
eDirectory password.