Changing the /etc/pam.conf File#
When changing the /etc/pam.conf configuration file, consider the following:
- The file should always be owned by the root user and group security. Permission on the file should be set to 644 to allow everyone read access, but only allow root to modify it.
- For greater security, consider explicitly configuring each PAM enabled service and then using the pam_prohibit module for the OTHER service keyword.
- Read any documentation supplied for a chosen module and service, and determine which control flags, options and module types are supported and what their impact will be.
- Select the ordering of modules and control flags carefully, keeping in mind the behavior of required, requisite, sufficient, and optional control flags in stacked modules.
Note: Incorrect configuration of the PAM configuration file can result in a system that cannot be logged in to since the configuration applies to all users, including root. After making changes to the file, always test the affected applications before logging out of the system. A system that cannot be logged in to can be recovered by booting the system in maintenance mode and correcting the /etc/pam.conf configuration file.