Files in /etc/pam.d/

Matthew Seaman matthew at
Sun Nov 6 12:14:22 UTC 2016

On 06/11/2016 10:15, Rocky Hotas wrote:
> The directory /etc/pam.d/ contains PAM policies for services. Some
> are pretty clear and unambiguous: /etc/pam.d/sshd is related to the
> ssh listening service. But some other are not. For example: in that
> directory, "login", "passwd" and "system" refer to very similar
> fields. So, I would like to ask: - What exactly is the scope of
> *each* of them? Does exists a documentation about it? - What is (if
> any) the hierarchy followed by them? Let's say that "system" (which
> contains system-wide login policy) and "sshd" have different
> statements: which one will prevail? I have not found an answer to
> these questions on documentation
> (
> Moreover, nor "man pam.d" neither /etc/pam.d/README contain
> information about it.

Hi, Rocky,

As you say, many of the PAM policies clearly relate to protocols the
files are named after.

The 'login' policy covers console logins, and the 'passwd' policy covers
use of the passwd(1) utility for changing your password.

Now, if you look at most of the policies in that directory you'll see
many of the entries include the 'system' policy.  The 'system' policy
therefore acts as a form of default policy for many of the different
services.  The effect of a statement like this:

session		include		system

is to substitute the 'session' likes from /etc/pam.d/system, like so:

#session        optional              want_agent
session         required          no_fail

Considering the 'sshd' policy: since this doesn't include the 'system'
policy only the statements in /etc/pam.d/sshd have any effect.  That is,
assuming that ssh(8) is configured to use PAM.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-questions mailing list