According to the documentation athttp://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/mwg-see- options.html
The module should not prompt the user for a password. Instead, it should obtain the previously typed password (by a call to pam_get_item() for the PAM_AUTHTOK item), and use that. If that doesn't work, then the user will not be authenticated. (This option is intended for auth and passwd modules only). try_first_pass seems to be deprecated as a generic optional argument. This appears to be working as designed. You may want to talk with the PAM developers upstream to change the specification. Thanks for your report! ** Changed in: pam (Ubuntu) Status: Unconfirmed => Rejected -- use_first_pass/try_first_pass weirdness https://launchpad.net/bugs/82740 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs