16.3.2. Control Flag

All PAM modules generate a success or failure result when called. Control flags tell PAM what do with the result. Since modules can be stacked in a particular order, control flags decide how important the success or failure of a particular module is to the overall goal of authenticating the user to the service.
There are four predefined control flags:
  • required — The module result must be successful for authentication to continue. If a required module result fails, the user is not notified until results on all modules referencing that interface are completed.
  • requisite — The module result must be successful for authentication to continue. However, if a requisite module result fails, the user is notified immediately with a message reflecting the first failed required or requisite module.
  • sufficient — The module result is ignored if it fails. However, if a sufficient flagged module result is successful and no required flagged modules above it have failed, then no other results are required and the user is authenticated to the service.
  • optional — The module result is ignored. A module flagged as optional only becomes necessary for successful authentication when there are no other modules referencing the interface.


The order in which required modules are called is not critical. The sufficient and requisite control flags cause order to become important.
A newer control flag syntax which allows for more precise control is now available for PAM. Please see the PAM documentation located in the /usr/share/doc/pam-<version-number>/ directory for information on this new syntax (where <version-number> is the version number for PAM).