Hi,
I really like the fact that you can use user_unknown=ignore to
introduce pam_oath gradually, and it works fine if you use one users
file to store all the secrets; but when you use a file per user
(like with usersfile=/oath/${USER}), users that do not have a secret
yet do need an empty file for PAM_USER_UNKNOWN to be returned;
without, you get a file-not-found kind of error instead.
It is debatable whether this is a bug or just unexpected behaviour,
but to me it would make more sense if in such a configuration, a
missing file would also lead to PAM_USER_UNKNOWN.
Best,
Dirk van Deun
--
Ceterum censeo Redmond delendum
