Comment 18 for bug 291091

>> How about new_authtok_reqd=1 (i.e. skip the pam_deny entry)? In Hardy
>> pam_unix used to be "required", which translates into [success=ok
>> new_authtok_reqd=ok ignore=ignore default=bad], so success and
>> new_authtok_reqd had the same action back then, too.
> No, that's definitely wrong. "new_authtok_reqd=1" would mean pam_unix
> would not contribute at all to the return code of the stack, it would
> instead jump to pam_permit and return PAM_SUCCESS.

Reading the docs again, I've apparantly had the wrong idea about the
"ok" action (I somehow thought that that too would result in PAM_SUCCESS
being returned). I see the problem now. Thanks for pointing this out.