each PAM-aware service or application has its own file.
Each file includes directives, formatted in the following way: <module interface> <control flag> <module name> <module arguments>
Module interfaces define functions of the authentication/authorization process contained within a module. include: account, auth, password, and session.
Account checks to see whether a user is allowed access to something
auth is used to verify passwords and to set credentials (such as Kerberos tickets)
password is used to change passwords
session is used when performing tasks in a user session that are required for access (such as mounting home directories).
Control flags indicate what should be done upon the success or failure of the module.
optional flag is set, the module result is ignored.
required flag mandates that the module result must be successful to continue the authentication, and the user is notified when all tests in the module interfaces are finished.
requisite flag is the same as the required flag except for the requisite flag’s directive to notify the user immediately upon failure.
sufficient flag states that the module result is ignored upon failure.
The module name defines the module to which the directive applies.
Module arguments are additional options you can pass into the module.
Manage passwords:
Test Passwords Against a Dictionary Attack:
password required pam_cracklib.so retry=5
user must change password within 5 tries such that password is not in the checking dictionary