libpam-runtime: /etc/pam.d/common-auth bug?

Patrick Goetz pgoetz at
Thu Apr 22 17:10:53 UTC 2010

This list is actually cited as the package maintainer in the package
status for libpam-runtime, so I thought I would run this by here first
before filing a bug against the package just in case I'm terribly confused.

Both in the /usr/share/pam/common-auth template and in various
instantiations of this I've looked at one finds the following in the
middle of the common-auth file:

# here's the fallback if no module succeeds
auth  requisite
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth  required
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

Am I missing something?  My understanding of how pam works indicates
that the line:

   auth  requisite

is the end of the road for all further processing, since requisite
returns fail instantly upon failure and pam_deny always returns failure.
  Anything beyond this is consequently superfluous, so given that there
is stuff afterwards (e.g. pam_permit), this is probably not the package
maintainer's intention.  Most people are not going to notice this because auth processing occurs before the pam_deny line.

More information about the Ubuntu-devel-discuss mailing list