required |
Must pass |
auth required pam_unix.so |
The module must succeed; even if later ones pass, login fails if this one fails. |
requisite |
Must pass or stop |
auth requisite pam_nologin.so |
If this fails, PAM stops immediately and denies access (e.g., during maintenance). |
sufficient |
One success is enough |
auth sufficient pam_ssh.so |
If this succeeds, PAM skips the rest and grants access (e.g., SSH key login). |
optional |
Minimal impact |
session optional pam_lastlog.so |
Used for non-critical tasks like showing the last login; failure doesn’t block access. |