System applications, such as login and ssh, that use the PAM framework are configured in the PAM configuration files in the /etc/pam.d directory. The /etc/pam.conf file can also be used. Changes to these files affect all users on the system.
Additionally, the /etc/security/pam_policy directory holds PAM configuration files. These files cover multiple services and are designed for per-user assignment. Files in this directory must not be modified.
/etc/pam.d directory – Contains service-specific PAM configuration files, including the wildcard file, other. To add a service for an application, add a single service-name file that is the service name used by the application. If appropriate, your application can use the PAM stack in the other file.
The service files in the /etc/pam.d directory provide the default configuration in most PAM implementations. They are self-assembled by using the IPS mechanism as described in the pkg(5) man page. This default simplifies interoperability with other cross-platform PAM applications. For more information, see the pam.conf(4) man page.
/etc/pam.conf file – The legacy PAM configuration and policy file. This file is delivered empty. The preferred mechanism for configuring PAM is to use the files in the /etc/pam.d directory. For more information, see the pam.conf(4) man page.
/etc/security/pam_policy directory – Contains PAM policy files that contain policies for multiple services. These files can be assigned to an individual, to a group of individuals, or to all users, as needed. Such an assignment overrides the system PAM configuration files in pam.conf or the /etc/pam.d directory. Do not modify these files. To add a per-user file, see How to Create a Site-Specific PAM Configuration File. For information about per-user files, see the pam_user_policy(5) man page.
The security administrator manages all PAM configuration files. An incorrect order of entries, that is, an incorrect PAM stack, can cause unforeseen side effects. For example, a badly configured file might lock out users so that single-user mode becomes necessary for repair. For assistance, see PAM Stacking and How to Troubleshoot PAM Configuration Errors.