Comment 6 for bug 1159457

"auth required" case

/etc/pam.d/common-auth:
auth required pam_usb.so
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so

Tom: knows his password and has the USB device
John: knows Tom's password somehow but does not have the USB device

Expected:
To login as Tom, an user must know Tom's password and have the USB device both.

Actual:

== Tom logged out with the USB device plugged ==
[+0.00s] DEBUG: Logging to /var/log/lightdm/lightdm.log
[+0.00s] DEBUG: Starting Light Display Manager 1.2.3, UID=0 PID=12837
<snip>
[+0.65s] DEBUG: Activating VT 7
[+1.48s] DEBUG: Greeter start authentication for tom
[+1.48s] DEBUG: Started session 12960 with service 'lightdm', username 'tom'
[+1.65s] DEBUG: Session 12960 got 1 message(s) from PAM
[+1.65s] DEBUG: Prompt greeter with 1 message(s)
== Tom left from the PC with the unplugged USB device ==
== After a few minutes, John came at the PC then input Tom's password ==
[+22.02s] DEBUG: Continue authentication
[+22.06s] DEBUG: Session 12960 authentication complete with return value 0: Success
[+22.06s] DEBUG: Authenticate result for user tom: Success
[+22.08s] DEBUG: User tom authorized
[+22.10s] DEBUG: Greeter requests session ubuntu
[+22.10s] DEBUG: Using session ubuntu
[+22.10s] DEBUG: Stopping greeter
<snip>
[+22.44s] DEBUG: Starting session ubuntu as user tom
== John can login as Tom without any USB device, just input password ==

That is undesired behavior. lightdm does not timeout authentication or check authenticate result for USB device again at real login.

Putting pam_usb.so after pam_unix.so can prevent the situation though.