PAM - required and sufficient control flag

PAM proceeds through the items on the stack in sequence. It only keeps the memory of what state it's in (success or denied, with success meaning success so far), not of how it reached that state.

If an item marked sufficient succeeds, the PAM library stops processing that stack. This happens whether there were previous required items or not. At this point, PAM returns the current state: success if no previous required item failed, otherwise denied.

Similarly, if an item marked requisite fails, the PAM library stops processing and returns a failure. At that point, it's irrelevant whether a previous required item failed.

In other words, required doesn't necessarily cause the whole stack to be processed. It only means to keep going.