Here to answer my own question after a little more RTFM. The preceding
common-auth lines are set up using the new-fangled jump feature:
--
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
# here's the fallba
This list is actually cited as the package maintainer in the package
status for libpam-runtime, so I thought I would run this by here first
before filing a bug against the package just in case I'm terribly confused.
Both in the /usr/share/pam/common-auth template and in various
instantiations of t