> "the default is always to fail if no module succeds", that's not true.
> Without a pam_deny directive listing two modules as 'sufficient' will
> fallback to successful authentication, that's why I opened this bug in the
> first place.
Well, no; if the entirety of your stack is "sufficient" modules, then
the following equivalence from /usr/share/doc/libpam-doc/txt/Linux-
PAM_SAG.txt.gz applies:
sufficient
[success=done new_authtok_reqd=done default=ignore]
If all of the 'sufficient' modules fail, they each return an 'ignore'
state and the whole stack fails.
You are right in that if you have one "sufficient" module and one
"optional" module, the "optional" module is enough to cause the stack to
succeed; but that's just one of many ways that a user can misconfigure
PAM. And as mentioned, including pam_deny in the common-* files would
make it harder to properly support certain other relevant use cases
(including some configurations actively deployed in core Ubuntu
packages).
So yes, I'm afraid this is still wontfix.
** Changed in: pam (Ubuntu)
Status: New => Won't Fix
--
pam configuration could use safer defaults
https://bugs.launchpad.net/bugs/152912
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
