Hello,
On 2020-02-14 13:25, Christoph Pleger wrote:
auth [success=2 default=ignore] pam_p11.so
/usr/local/lib/libcvP11.so
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one
already;
# this avoids us returning an error just because nothing sets a success
code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_group.so
auth optional pam_cap.so
# end of pam-auth-update config
The question here is, why the application at all gets knowledge about
some failed PAM module, should it not just get the final result from the
complete PAM stack, which is PAM_SUCCESS in this case?
Regards
Christoph