Comment 1 for bug 711770

Revision history for this message
Steve Langasek (vorlon) wrote :

This is not a security issue. The default PAM stack is *deliberately* organized such that each module is tried in turn and any one succeeding authentication module is treated as a success for the whole stack.

If this is not the site policy you want, then you should use pam-auth-update to change which profiles are enabled. But the setup you describe is *not* the common case and is not what will be shipped by default in Ubuntu.