why "auth sufficient pam_deny.so" accepts *ANY AND ALL* passwords!?!??

[Tomas Mraz]

On Fri, 2006-02-03 at 07:10 +0100, Thorsten Kukuk wrote:
> On Thu, Feb 02, Christian Seberino wrote:
> 
> > How come if I change "required" to "sufficient" on the pam_deny
> > line of common-auth file below it then allows all login attempts to
> > succeed!?!
> 
> Because sufficent means: If the module returns PAM_SUCCESS, return
> with success, else ignore. If you have only sufficient modules, there
> is no failed.

Actually it's even more peculiar. The result of the stack is determined
by the required modules - in your case pam_tally, which normally
succeeds.

If there were sufficient modules only and all of them failed the result
would be a failure.

-- 
Tomas Mraz <tmraz at redhat.com>