PAM uses arguments to pass information to a pluggable module during
authentication for a particular module type. These arguments allow the
PAM configuration files for particular programs to use a
common PAM module but in different ways.
For example, the pam_userdb.so module uses
secrets stored in a Berkeley DB file to authenticate the
user. Berkeley DB is an open source database system designed to be
embedded in many applications to track information. The module takes
a db argument, specifying the Berkeley DB
filename to use, which can be different for different services.
So, the pam_userdb.so line in a PAM configuration
file look like this:
auth required /lib/security/pam_userdb.so db=path/to/file |
Invalid arguments are ignored and do not otherwise affect the success
or failure of the PAM module. When an invalid argument is passed, an
error is usually written to
/var/log/messages file. However, since the reporting method
is controlled by the PAM module, the module must be written correctly to
log the error to this file.
