How are services mapped to the files in /etc/pam.d?

The PAM "service" name ("sshd", "sudo", etc.) is compiled into the application. That is what decides which file will be initially loaded. After that, the @include lines are processed as described in freiheit's post.


It might be hardcoded into the programs, but each service has its own file in /etc/pam.d generally named after the actual process name. Local and serial consoles both work via getty which passes off actual logging in to "login", so you'd need to look at /etc/pam.d/login. SSH is actually "sshd", so it's in /etc/pam.d/sshd

On most modern distros, those files mostly contain lines like "@include common-password" or "auth include system-auth", so for those two you'd then need to look at /etc/pam.d/common-password or /etc/pam.d/system-auth. Slightly older distros (RHEL3, for instance), use something like "auth required pam_stack.so service=system-auth", which is a module based version of the same thing.