Hi Sam, that looks mostly good. Now I had some time to test your changes, and I have some things, that may need another check.
I have added pam_tally to common-auth and the upgrade did not stop when installing the new libpam-modules. I believe the regex is missing these files, since it does not contain a "-" in the permitted characters. Currently it chatches these files: # ls -1d /etc/pam.d/* | grep -e '^/etc/pam.d/[0-9a-zA-Z/]*$' /etc/pam.d/chfn /etc/pam.d/chpasswd /etc/pam.d/chsh /etc/pam.d/login /etc/pam.d/newusers /etc/pam.d/other /etc/pam.d/passwd /etc/pam.d/runuser /etc/pam.d/su With a modified search it will also find the common-* files: # ls -1d /etc/pam.d/* | grep -e '^/etc/pam.d/[0-9a-zA-Z/-]*$' /etc/pam.d/chfn /etc/pam.d/chpasswd /etc/pam.d/chsh /etc/pam.d/common-account /etc/pam.d/common-auth /etc/pam.d/common-password /etc/pam.d/common-session /etc/pam.d/common-session-noninteractive /etc/pam.d/login /etc/pam.d/newusers /etc/pam.d/other /etc/pam.d/passwd /etc/pam.d/runuser /etc/pam.d/runuser-l /etc/pam.d/su /etc/pam.d/su-l While testing I also noticed, that pam-auth-update gives some errors on my system. These come from line 710-714 of the script. Upon further checking I found, that the script does not handle commented lines. We use "# ..." comments at the start of our pam-configs. Is that an intented use-case or should we add an exception to pam-auth-update to filter comment lines? And some final nitpick: It seems I mistyped a capital T (line 21) into the text templates and this got copied over.