The following example shows the default definitions for authentication management in a sample /etc/pam.d/other file. These definitions are used for authentication if no service-specific authentication definitions have been configured.
## # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # auth definitive pam_user_policy.so.1 auth requisite pam_authtok_get.so.1 auth required pam_dhkeys.so.1 auth required pam_unix_auth.so.1 auth required pam_unix_cred.so.1
First, the PAM policy for the user is checked by using the pam_user_policy.so module. The definitive control flag dictates that if the evaluation of the configured PAM stack succeeds, success is returned to the application, because no other modules have been checked at this point. If the evaluation of the configured PAM stack fails, then a failure code is returned to the application and no further checking is done. If no per-user PAM policy is assigned to this user, then the next module is executed.
If a per-user PAM policy is not assigned to this user, then the pam_authtok_get module is executed. The control flag for this module is set to requisite. If pam_authtok_get fails, then the authentication process ends and the failure is returned to the application.
If pam_authtok_get does not fail, then the next three modules are executed. These modules are configured with the required control flag so that the integration process continues regardless of whether an individual failure is returned. After pam_unix_cred is executed, no modules remain. At this point, if all the modules succeeded, success is returned to the application. If any of pam_dhkeys, pam_unix_auth, or pam_unix_cred has returned a failure, failure is returned to the application.