The PAM configuration, per-service policy files in /etc/pam.d or the /etc/pam.conf file, is used to configure PAM service modules for system services, such as login, su, and cron. The system administrator manages the PAM configuration. An incorrect order of entries in the per-service policy files in /etc/pam.d or /etc/pam.conf file can cause unforeseen side effects. For example, a badly configured per-service policy file in /etc/pam.d can lock out users so that single-user mode becomes necessary for repair.
PAM can be also be configured via the per-service PAM policy files in the /etc/pam.d directory in addition to the pam.conf file.
The /etc/pam.d directory contains files named using the value of PAM_SERVICE. For example, /etc/pam.d/ssh is the file to read for the ssh service. The syntax of the /etc/pam.d files is identical to that of /etc/pam.conf except that the first column in the /etc/pam.conf file which is the service name, is omitted.
Configuring PAM with the /etc/pam.d files has following advantages:
A mistake in a per-service PAM policy file only affects that service.
Adding new PAM services is simple as it requires only creating a file in /etc/pam.d.
Improved interoperability with cross-platform PAM applications since many other PAM implementations such as Linux-PAM and OpenPAM support /etc/pam.d.
System administrators can also customize the security policy of their site by overlaying any vendor-supplied /etc/pam.d files.
For information about PAM configuration, see Configuring PAM in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.
When configuring PAM, you need to consider the following aspects:
The PAM configuration file syntax.
The search order of the configured PAM services.
The PAM stacking order.
For more information about PAM configuration files, see PAM Configuration Reference in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.