"the default is always to fail if no module succeds", that's not true. Without a pam_deny directive listing two modules as 'sufficient' will fallback to successful authentication, that's why I opened this bug in the first place.
Try using ldap conf and setting in auth/password sufficient for both pam_ldap and pam_unix. The result is any user being allowed with any password. I found this the hard way while implementing ldap authentication, having a default pam_deny would have prevented this mistake. It might be right that stacking would break, but you can still put that at the end of pam.d/* which are != common. -- pam configuration could use safer defaults https://bugs.launchpad.net/bugs/152912 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
