pam-script.so is a pam module that implements session management. It optionally runs a session open script (/etc/security/onsessionopen), a session close script (/etc/security/onsessionclose) or an authentication script (/etc/security/onauth) if they exist. Alternatively any other script can be executed using the options onsessionopen=/path/to/script, onsessionclose=/path/to/script and onauth=/path/to/script.
Run path instead of /etc/security/onsessionopen
Run path instead of /etc/security/onsessionclose
Bitmask that determines what information in the pam_environment to expose to the script's environment. Set this to 1 to expose PAM_AUTHTOK and 2 to expose KRB5CCNAME (the kerberos ticket cache). Remember that exposing PAM_AUTHTOK may be dangerous.