libpam-runtime: /etc/pam.d/common-auth bug?

Patrick Goetz pgoetz at
Thu Apr 22 20:16:48 UTC 2010

Here to answer my own question after a little more RTFM.  The preceding
common-auth lines are set up using the new-fangled jump feature:

    auth  [success=2 default=ignore] nullok_secure
    auth  [success=1 default=ignore] use_first_pass
    # here's the fallback if no module succeeds
   auth  requisite
    # prime the stack with a positive return value if there isn't one
    # this avoids us returning an error just because nothing sets a
success code
    # since the modules above will each just jump around
    auth  required

success=2 means jump over the next 2 modules.  It still seems that

    auth  required

is never useful, unless default=ignore means don't return PAM-API
success for this module.  The documentation is pretty sparse on this matter.

It's not at all clear to me how this is an improvement over the much simpler

    auth  sufficient nullok_secure
    auth  sufficient use_first_pass

Also, the use_first_pass on the pam_ldap line seems entirely incorrect
and should be issuing syslog errors, based on the definition of

More information about the Ubuntu-devel-discuss mailing list