Why do we need `required` when we have `requisite` in `PAM`?

I was wondering why do we need required in PAM when we have requisite. I know that required will allow to keep going through auth stack, but the authentication process will fail anyway finally. So why not simply to use requisite?

Is that for security reasons maybe? or is there anything else I am missing? In that case, so let's make the question the opposite, when do we need requisite instead of required?


Differentiating between required and requisite gives additional flexibility in PAM configuration. As you note, once the authentication is known to fail, in many cases there is no point in continuing further. As an example, suppose we are maintaining a log of all attempts to access the resource in question. In this case, it could be useful to include directives that can add to the logs after the authentication result is known (or trigger other actions, such as informing the sysadmin of the attempt). required will ensure the authentication fails, while still allowing subsequent actions to take place.