Why do we need `required` when we have `requisite` in `PAM`?
I was wondering why do we need required
in PAM
when we have requisite
. I know that required will allow to keep going through auth
stack, but the authentication process will fail anyway finally. So why not simply to use requisite
?
Is that for security reasons maybe? or is there anything else I am missing? In that case, so let's make the question the opposite, when do we need requisite
instead of required
?
Differentiating between required
and requisite
gives additional flexibility in PAM configuration. As you note, once the authentication is known to fail, in many cases there is no point in continuing further. As an example, suppose we are maintaining a log of all attempts to access the resource in question. In this case, it could be useful to include directives that can add to the logs after the authentication result is known (or trigger other actions, such as informing the sysadmin of the attempt). required
will ensure the authentication fails, while still allowing subsequent actions to take place.