account this module type performs non-authentication based account management. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user -- ’root’ login only on the console. auth this module type provides two aspects of authenticating the user. Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification. Secondly, the module can grant group membership or other privileges through its credential granting properties. password this module type is required for updating the authentication token associated with the user. Typically, there is one module for each ’challenge/response’ based authentication (auth) type. session this module type is associated with doing things that need to be done for the user before/after they can be given service. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc. The third field, control, indicates the behavior of the PAM-API should the module fail to succeed in its authentication task. There are two types of syntax for this control field: the simple one has a single simple keyword; the more complicated one involves a square-bracketed selection of value=action pairs. For the simple (historical) syntax valid control values are: required failure of such a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked. requisite like required, however, in the case that such a module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is conceivable that such behavior might inform an attacker of valid accounts on a system. This possibility should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment. sufficient success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior required module has failed the success of this one is ignored). A failure of this module is not deemed as fatal to satisfying the application that this type has succeeded. optional the success or failure of this module is only important if it is the only module in the stack associated with this service+type. include include all lines of given type from the configuration file specified as an argument to this control.
而所有的pam的方法都在/lib64/security/ 目录下，查询到登录验证是通过pam_tally2这个来进行的。通过man pam_tally2找到了很多对应的方法。因为之前查了很多网上的方法都是只针对普通用户的，不针对root用户的。root的方法跟普通的是不一样的。从这个来看以后还是得多看man帮助。
cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so deny=3 onerr=fail no_magic_root even_deny_root unlock_time=120 root_unlock_time=120 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid &gt;= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid &lt; 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so