Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

PAM Configuration File Syntax

    The pam.conf file and the PAM per-user files use a syntax that is different from the service-specific files in the pam.d directory.

  • The entries in the /etc/pam.conf file and the /etc/security/pam_policy files are in one of two formats:

    service-name module-type control-flag module-path module-options
    service-name module-type include path-to-included-PAM-configuration
  • The entries in the service-name files in the /etc/pam.d directory omit the service name. The name of the file provides the service name.

    module-type control-flag module-path module-options
    module-type include path-to-included-PAM-configuration

The PAM configuration file syntax items are as follows:


The case-insensitive name of the service, for example, login or ssh. An application can use different service names for the services that the application provides. For example, search for the word PAM in the sshd(1M) man page for the service names for the different services that the sshd daemon provides.

The predefined service name “other” is the default service name if no specific service configuration is provided.


Indicates the type of service, that is, auth, account, session, or password.


Indicates the role of the module in determining the success or failure value for the service. Valid control flags are described in PAM Stacking.


The path to the module that implements the module type. If the pathname is not absolute, it is assumed to be relative to the path /usr/lib/security/$ISA/. The $ISA macro or token directs the PAM framework to look in the module path's architecture-specific directory.


Options such as nowarn and debug that can be passed to the service modules. A module's man page describes the options for that module.


Specifies the full path to a PAM configuration file or a file name that is relative to the /usr/lib/security directory.