Invalid value "-session". Valid values are account, auth, password, session.
From the pam.d(8) manual page:
If the type value from the list above is prepended with a - character the PAM library will not log to the system log if it is not possible to load the module because it is missing in the system. This can be useful especially for modules which are not always installed on the system and are not required for correct authentication and authorization of the login session.
It could be argued that this situation should be handled more intelligently with parameters, but it is valid syntax.
For example, "-session" is a valid pam entry.
If you try to use it, you get:
Invalid value "-session". Valid values are account, auth, password, session.
From the pam.d(8) manual page:
If the type value from the list above is prepended with a - character the PAM library will not log to the system log if it is not possible to load the module because it is missing in the system. This can be useful especially for modules which are not always installed on the system and are not required for correct authentication and authorization of the login session.
It could be argued that this situation should be handled more intelligently with parameters, but it is valid syntax.