Hmmm, good idea, this really helps to remove the necessary second call in another stack. Let's hope that all relevant applications call pam_sm_setcred correctly.
Yes, that's the concern - it depends on that call to know that auth succeeded so if it doesn't get it it'll blacklist remote hosts incorrectly. So far I've only tested it with sshd which does the right thing.
I guess there might be something that could be done with the 'new' config syntax that replaces required / requisite / sufficient / optional with [value1=action1 value2=action2 ...] but I haven't taken the time to experiment with it yet.
-- Andy Armstrong
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list