The PAM configuration, per-service policy files in/etc/pam.d or the/etc/pam.conf file, is used toconfigure PAM service modules for system services, such aslogin,su, andcron. The system administrator managesthe PAM configuration. An incorrect order of entries in the per-service policy files in/etc/pam.d or/etc/pam.conf file can cause unforeseen side effects. Forexample, a badly configured per-service policy file in/etc/pam.d can lock out users so that single-user mode becomes necessaryfor repair.
PAM can be also be configured via the per-service PAM policy files in the/etc/pam.d directory in addition to thepam.conf file.
The/etc/pam.d directory contains files named using the value ofPAM_SERVICE. For example,/etc/pam.d/ssh is the file to read forthe ssh service. The syntax of the/etc/pam.d files is identical tothat of/etc/pam.conf except that the first column in the/etc/pam.conf file which is the service name, isomitted.
Configuring PAM with the/etc/pam.d files has followingadvantages:
A mistake in a per-service PAM policy file only affects that service.
Adding new PAM services is simple as it requires only creating a file in/etc/pam.d.
Improved interoperability with cross-platform PAM applications since manyother PAM implementations such as Linux-PAM and OpenPAM support/etc/pam.d.
System administrators can also customize the security policy of their site byoverlaying any vendor-supplied/etc/pam.d files.
For information about PAM configuration, seeConfiguring PAM inManaging Authentication in Oracle Solaris 11.4.
When configuring PAM, consider the following aspects:
The PAM configuration file syntax
The search order of the configured PAM services
The PAM stacking order
For more information about PAM configuration files, seePAM Configuration Reference inManaging Authentication in Oracle Solaris 11.4.