Nicolas Williams wrote: > [] > > Imagine if you could have something more like this: > > telnet auth { ((pam_ldap || pam_krb5 try_first_pass) && pam_unix) || fail } > > Actually, a boolean spec might be easier to parse and edit in software > than the current line oriented system. It might be harder for humans to > parse though... Strange example. Why you want to authentificate using _both_ pam_ldap and pam_unix (and have two password prompts -- pam_unix in your example have no {use,try}_first_pass option) !? This sort of things seemed to be reasonable e.g. in account/session stack (but still strange), and maybe for passwd stack (the last is like "update both network password and local one, so, e.g. if network will be unavailable, you can login using local password"). But not for auth. And, having proper flags for modules, this also can (probably) be achieved -- say, add "ignore_on_error" (or, better, "ignore_if_user_not_found") flag to module. Also, trivial reordering will help: required pam_unix sufficient pam_ldap required pam_krb5 try_first_pass BTW, one more word can be used in left hand side, something like "always-required" (that is like required but used even if some module is sufficient). Regards, Michael.