The Self authentication component
  (pam_sm_authenticate()), returns success if and only
  if the target user's user ID is identical with the current real user ID. If
  the current real user ID is zero, authentication will fail, unless the
  allow_root option was specified.
The following options may be passed to the authentication
  module:
  - debug
- syslog(3) debugging
      information at LOG_DEBUGlevel.
- no_warn
- suppress warning messages to the user. These messages include reasons why
      the user's authentication attempt was declined.
- allow_root
- do not automatically fail if the current real user ID is 0.