required
— The module result must be successful for authentication to continue. If the test fails at this point, the user is not notified until the results of all module tests that reference that interface are complete.
requisite
— The module result must be successful for authentication to continue. However, if a test fails at this point, the user is notified immediately with a message reflecting the first failed required
or requisite
module test.
sufficient
— The module result is ignored if it fails. However, if the result of a module flagged sufficient
is successful and no previous modules flagged required
have failed, then no other results are required and the user is authenticated to the service.
optional
— The module result is ignored. A module flagged as optional
only becomes necessary for successful authentication when no other modules reference the interface.
Important
required
modules are called is not critical. Only the sufficient
and requisite
control flags cause order to become important.
pam.d
man page, and the PAM documentation, located in the /usr/share/doc/pam/
directory, describe this newer syntax in detail.