When deciding how best to employ PAM in your environment, start by focusing on these issues:
Determine what your needs are, especially which modules you should select.
Identify the services that need special attention; use OTHER if appropriate.
Decide on the order in which the modules should be run.
Select the control flag for that module.
Choose any options necessary for the module.
Here are some suggestions to consider before changing the configuration file:
Use the OTHER entry for each module type so that every application does not have to be included.
Make sure to consider the security implications of the sufficient and optional control flags.
Review the man pages associated with the modules to understand how each module will function, what options are available, and the interactions between stacked modules.
If the PAM configuration file is misconfigured or gets corrupted, it is possible that even the superuser would be unable to log in. Since sulogin does not use PAM, the superuser would then be required to boot the machine into single user mode and fix the problem.
After changing the /etc/pam.conf file, review it as much as possible while still logged in as superuser. Test all of the commands that might have been affected by your changes. For example, if you added a new module to the telnet service, use the telnet command and verify that the changes you made behave as expected.