PAM - required and sufficient control flag
PAM proceeds through the items on the stack in sequence. It only keeps the memory of what state it's in (success or denied, with success meaning success so far), not of how it reached that state.
If an item marked sufficient
succeeds, the PAM library stops processing that stack. This happens whether there were previous required
items or not. At this point, PAM returns the current state: success if no previous required
item failed, otherwise denied.
Similarly, if an item marked requisite
fails, the PAM library stops processing and returns a failure. At that point, it's irrelevant whether a previous required
item failed.
In other words, required
doesn't necessarily cause the whole stack to be processed. It only means to keep going.